CVE-2026-6275: StatCounter WordPress Plugin Stored XSS Vulnerability
The StatCounter – Free Real Time Visitor Stats WordPress plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated authors to inject malicious scripts into their posts. When any visitor views a post authored by an attacker, the injected script executes in their browser. The vulnerability exists because the plugin fails to properly escape the author's nickname before outputting it into JavaScript code on every post page.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter_addToTags() function. The function is hooked to wp_head and fires on every single post page. It retrieves the post author's nickname via the_author_meta() and echoes it directly into a JavaScript double-quoted string context inside a <script> block without applying esc_js() or any equivalent JavaScript-context escaping. This makes it possible for authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages that will execute whenever any user (including unauthenticated visitors) accesses a post authored by the attacker.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-6275 is a stored XSS vulnerability in StatCounter plugin versions up to 2.1.1. The statcounter_addToTags() function, hooked to wp_head, retrieves the post author's nickname via the_author_meta() and directly echoes it into a JavaScript double-quoted string context within a <script> block. The absence of esc_js() or equivalent JavaScript-context escaping allows attackers with Author-level or higher privileges to craft a malicious nickname containing JavaScript code that persists in the WordPress database. This payload executes on every page view of that author's posts, affecting all visitors including unauthenticated users.
Business impact
This vulnerability creates a mechanism for privilege escalation and content manipulation within WordPress sites. Compromised author accounts—or attackers who gain author access—can inject JavaScript to harvest visitor credentials, redirect users to phishing sites, distribute malware, or deface content. For multi-author WordPress installations with external contributors, the attack surface expands significantly. The persistent nature of stored XSS means the malicious payload affects all future visitors until remediated, maximizing exposure window.
Affected systems
StatCounter – Free Real Time Visitor Stats plugin versions up to and including 2.1.1 running on WordPress are affected. The vulnerability is triggered whenever any user visits a post authored by an attacker, making any WordPress site using this plugin and hosting author-level users a potential target. Sites with permissive user roles or guest posting features face heightened risk.
Exploitability
Exploitation requires Author-level access or higher (Contributor role cannot author posts by default). The attack requires no user interaction from the victim—scripts execute automatically on page load. The CVSS score of 6.4 (Medium) reflects the requirement for authenticated access, but the network-accessible nature and broad victim reach (all site visitors) elevate practical risk. No active exploitation in the wild is currently documented (KEV status: not added).
Remediation
Update the StatCounter plugin to a patched version that applies esc_js() or similar JavaScript-context escaping to the author nickname output. Verify the fix against the plugin vendor's security advisory. Until patching is possible, restrict Author-level access to trusted internal users only, audit existing author accounts for suspicious nickname values, and consider disabling the plugin if it is not actively used for visitor analytics.
Patch guidance
Check the StatCounter plugin repository and vendor advisories for version 2.1.2 or later, which should address this vulnerability. Apply updates through the WordPress admin dashboard (Plugins > Updates) after testing in a staging environment. If a patch is not yet available, consider disabling the plugin or rolling back to an earlier version if vulnerabilities are confirmed in your deployment. Always verify patch applicability against the plugin's official security announcement.
Detection guidance
Review author and contributor account nicknames in WordPress (Users admin panel) for suspicious JavaScript code, quotes, or special characters that may indicate injection attempts. Check plugin configuration to ensure statcounter_addToTags() is not being exploited. Monitor website traffic and user behavior for redirects or anomalous script execution. Enable WordPress security logging to capture changes to user metadata. If you suspect exploitation, inspect the post_author_meta database table for injected JavaScript payloads targeting the 'nickname' field.
Why prioritize this
Although rated Medium severity, this vulnerability warrants prompt remediation in multi-user WordPress environments. The combination of stored persistence, automatic execution on every post view, and broad victim reach (all site visitors) makes it an attractive vector for attackers with author access. Organizations with guest blogging, contributor networks, or external user bases should prioritize patching. The requirement for authenticated access slightly lowers urgency compared to unauthenticated flaws, but the ease of exploitation once access is obtained justifies timely action.
Risk score, explained
CVSS 3.1 score of 6.4 (Medium) is driven by: Attack Vector (Network) and Attack Complexity (Low) reflecting easy exploitation via web interface; Privileges Required (Low) limiting scope to authenticated users; User Interaction (None) meaning no victim action needed; Scope (Changed) because the payload affects other visitors beyond the attacker; Confidentiality and Integrity (Low) due to potential data theft or content manipulation, though availability is not impacted. The score does not penalize the stored nature or broad exposure—consider raising prioritization internally if your site hosts many authors or has high visitor volume.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires at least Author-level WordPress access (or higher). However, once exploited, the resulting malicious script affects all visitors including unauthenticated ones.
What happens if I don't update the plugin?
If an attacker gains Author access, they can inject JavaScript into their author nickname that will execute in the browsers of every visitor viewing their posts. This could lead to credential theft, malware distribution, or phishing attacks.
How do I check if my site has been compromised?
Review all Author and higher-level user account nicknames in the WordPress Users admin panel for suspicious code or characters. You can also search the wp_usermeta database table for 'nickname' entries containing JavaScript or encoded payloads. Inspect your website's HTML source on post pages for unexpected script tags or JavaScript in the statcounter function.
Is there a workaround if a patch is not available?
Until a patch is released, restrict Author-level permissions to trusted internal staff, disable the StatCounter plugin if not actively used, or implement Web Application Firewall (WAF) rules to filter suspicious JavaScript in author fields. Regular audits of user accounts and metadata are essential during this window.
This analysis is based on publicly available vulnerability data and the CVE description. Verify all patch versions, vendor advisories, and affected product lists directly with the StatCounter plugin repository and WordPress.org. No active exploits are currently documented (KEV status negative as of the data publish date), but security landscapes evolve rapidly. Test any patches or configuration changes in a staging environment before production deployment. This information is provided for educational and risk management purposes and does not constitute legal advice or a guarantee of security. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1