CVE-2026-2936

WordPress · Visitor Traffic Real Time Statistics

The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'page_title' parameter.

Executive summary

A Stored Cross-Site Scripting vulnerability in the Visitor Traffic Real Time Statistics plugin allows for malicious script injection, risking administrative session security.

Vulnerability

The plugin fails to sanitize the 'page_title' parameter, enabling attackers to store malicious JavaScript on the server. When an administrator views the statistics, the script executes, potentially allowing for unauthorized actions or session theft.

Business impact

With a CVSS score of 7.2, this vulnerability enables attackers to target site administrators. Successful exploitation could lead to full site control if administrative session cookies are compromised, resulting in significant business impact.

Remediation

Immediate Action: Update the Visitor Traffic Real Time Statistics plugin to the latest version.

Proactive Monitoring: Monitor for anomalous behavior in the WordPress dashboard and review logs for suspicious script activity.

Compensating Controls: Employ a Web Application Firewall (WAF) to filter malicious input in the 'page_title' field.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Immediate patching of this plugin is required. Organizations should ensure that all WordPress plugins are kept up to date to defend against common injection vulnerabilities like XSS.