CVE-2026-5231 Overview
CVE-2026-5231 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Statistics plugin for WordPress in all versions up to and including 14.16.4. The flaw exists in the referral parser, which copies the raw utm_source value into the source_name field when a wildcard channel domain matches. The chart renderer later inserts this value into legend markup via innerHTML without escaping. Unauthenticated attackers can inject arbitrary scripts that execute when an administrator visits the Referrals Overview or Social Media analytics pages. The issue is classified under CWE-79.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript that executes in administrator browsers, enabling session theft, account takeover, and full WordPress site compromise.
Affected Products
- WP Statistics plugin for WordPress, versions through 14.16.4
- WordPress sites running the plugin's Referrals Overview analytics module
- WordPress sites running the plugin's Social Media analytics module
Discovery Timeline
- 2026-04-17 - CVE-2026-5231 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-5231
Vulnerability Analysis
The vulnerability is a stored XSS issue in two coupled components of the WP Statistics plugin. The server-side ReferralsParser.php accepts the utm_source query parameter from inbound traffic and stores it without sanitization. The client-side chart.js renderer later writes this stored value into the DOM through innerHTML, executing any injected script in the administrator's browser context.
Because the injection vector is an unauthenticated HTTP request containing a utm_source parameter, any attacker who can drive traffic to the target site can plant a payload. Execution occurs asynchronously when an administrator opens the Referrals Overview or Social Media analytics pages, making this a classic stored-then-replayed XSS chain.
Successful exploitation allows attackers to perform actions in the administrator's session, including creating new admin accounts, modifying plugin code, or exfiltrating data. The scope change reflects that XSS executing in an admin context can pivot beyond the vulnerable component to compromise the entire WordPress installation.
Root Cause
The root cause is twofold: insufficient input sanitization in the referral parser and missing output escaping in the chart renderer. The parser at src/Service/Analytics/Referrals/ReferralsParser.php line 62 copies the raw utm_source value into source_name when a wildcard channel domain matches. The renderer at assets/dev/javascript/chart.js line 498 inserts that stored value into legend markup using innerHTML rather than textContent or an escaped equivalent.
Attack Vector
An unauthenticated attacker crafts a URL targeting the vulnerable WordPress site with a malicious utm_source value containing JavaScript. The attacker drives a single request to a page that triggers referral logging. The plugin stores the value. When an administrator later opens the analytics dashboard, the payload renders into the legend element and executes in the administrator's browser session.
The vulnerability is described in prose because no verified proof-of-concept code is available. See the Wordfence Vulnerability Analysis and the WordPress Code Changeset for technical details.
Detection Methods for CVE-2026-5231
Indicators of Compromise
- Inbound HTTP requests containing utm_source query parameters with <script>, onerror=, onload=, or other HTML/JavaScript syntax
- Unexpected administrator account creation, role changes, or plugin installations following analytics dashboard access
- Outbound requests from administrator browsers to unfamiliar domains shortly after loading the Referrals Overview or Social Media pages
- Database entries in the WP Statistics referrals tables where source_name contains markup or script syntax
Detection Strategies
- Inspect web server access logs for utm_source values containing characters such as <, >, ", ', or encoded equivalents like %3C
- Query the WP Statistics referrals storage for source_name values that include HTML tags or JavaScript keywords
- Monitor WordPress audit logs for administrative actions originating from the analytics admin pages
Monitoring Recommendations
- Enable a Web Application Firewall (WAF) with rules targeting XSS payloads in query string parameters
- Alert on creation of new administrator accounts and unsolicited plugin or theme installations
- Track outbound connections from administrator workstations during WordPress admin sessions to identify data exfiltration
How to Mitigate CVE-2026-5231
Immediate Actions Required
- Update the WP Statistics plugin to a version later than 14.16.4 that contains the upstream fix referenced in the WordPress plugin changeset
- Audit existing referral data and purge any stored source_name entries containing HTML or script content
- Review WordPress user accounts, scheduled tasks (wp_cron), and recently modified plugin or theme files for signs of post-exploitation activity
Patch Information
The fix is committed in the WP Statistics trunk per the WordPress Code Changeset. The patch addresses both the unsanitized parser logic in ReferralsParser.php and the unsafe innerHTML usage in chart.js. Administrators should update through the WordPress plugin manager.
Workarounds
- Deactivate the WP Statistics plugin until the patched version is installed
- Deploy WAF rules to block requests where utm_source contains HTML special characters or known XSS patterns
- Restrict access to the WordPress admin area by IP allowlist to reduce the chance of administrator exposure to stored payloads
# Example WP-CLI commands to update or deactivate the plugin
wp plugin update wp-statistics
wp plugin deactivate wp-statistics
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

