CVE-2026-7634: SlimStat Analytics Stored XSS Vulnerability in WordPress Plugin
The SlimStat Analytics plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts through the User-Agent header. When an administrator has enabled the 'show_complete_user_agent_tooltip' setting, these injected scripts will execute in the browsers of users who visit affected pages. This is a stored vulnerability, meaning the malicious payload persists in the database rather than requiring a specially crafted link. All versions up to and including 5.4.11 are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The show_complete_user_agent_tooltip setting must be explicitly enabled by an administrator (disabled by default) for the stored payload to be rendered and executed.
14 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7634 is a Stored XSS vulnerability (CWE-79) in the SlimStat Analytics WordPress plugin caused by insufficient input sanitization on the User-Agent HTTP header and inadequate output escaping when rendering tooltip data. An unauthenticated attacker can inject arbitrary HTML and JavaScript through normal HTTP requests containing a crafted User-Agent header. The vulnerability requires that the show_complete_user_agent_tooltip administrator setting be explicitly enabled (it is disabled by default) for the payload to render and execute. Once stored, the malicious script executes in the context of the victim's browser with the privileges of the authenticated WordPress user, potentially leading to session hijacking, credential theft, or malware distribution.
Business impact
This vulnerability poses a significant risk to WordPress sites relying on SlimStat Analytics for traffic monitoring. Because the XSS payload is stored and executes for all users who view the affected data, the blast radius can be large—especially if site administrators regularly review analytics dashboards. Compromised sessions could allow attackers to modify site content, steal sensitive data, or further compromise the WordPress installation. Organizations using this plugin should treat this as a high-priority item, particularly if the show_complete_user_agent_tooltip setting is enabled in their configurations.
Affected systems
WordPress installations with the SlimStat Analytics plugin installed and active, versions 5.4.11 and earlier. The vulnerability only manifests if the 'show_complete_user_agent_tooltip' setting has been explicitly enabled by a site administrator (this setting is disabled by default, which partially mitigates risk for unmodified installations). Any user with access to pages that display User-Agent tooltip data is at risk of executing the malicious payload.
Exploitability
Exploitation is relatively straightforward from a technical perspective: an attacker can craft HTTP requests with malicious User-Agent headers and does not require authentication or user interaction beyond the victim accessing an affected page. The attack vector is network-based and requires no elevated privileges. However, practical exploitation depends on the administrator having enabled the show_complete_user_agent_tooltip setting, which is not the default configuration. This requirement acts as a partial control, but should not be relied upon as the primary mitigation since administrators may enable this feature without fully understanding the security implications.
Remediation
Update the SlimStat Analytics plugin to a patched version released after 5.4.11. Verify the latest version against the official WordPress plugin repository or the vendor advisory. Additionally, disable the show_complete_user_agent_tooltip setting if it is not required for your analytics workflow. For sites unable to patch immediately, disabling the plugin or removing the setting will prevent exploitation until an update is available.
Patch guidance
Check the WordPress plugin repository or contact the SlimStat Analytics vendor for the availability of a patched version. Apply the latest security update as soon as it is released and verified. Test the patch in a staging environment to ensure compatibility with your WordPress theme and other plugins before deploying to production. Keep the plugin updated regularly going forward.
Detection guidance
Monitor web server and WordPress logs for HTTP requests containing suspicious User-Agent headers, particularly those containing HTML tags, script tags, or encoded payloads. Review SlimStat Analytics dashboard logs for unusual User-Agent entries. Use Web Application Firewalls (WAF) to block requests with potentially malicious User-Agent headers. If the show_complete_user_agent_tooltip setting is enabled, audit the tooltip output in your analytics interface for any unexplained or suspicious-looking entries. Consider searching your WordPress database for stored XSS payloads in tables related to SlimStat tracking data.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (7.2), network-based attack vector that requires no authentication, and the potential for wide-scale impact across site users. Although the show_complete_user_agent_tooltip setting is disabled by default, many administrators may have enabled it without realizing the security risk. The stored nature of the XSS means that once injected, the payload will execute repeatedly for all visitors, making this a persistent threat rather than a one-time incident.
Risk score, explained
The CVSS 3.1 score of 7.2 (HIGH) reflects several critical factors: the attack vector is network-accessible with no authentication required (AV:N/PR:N), the attack complexity is low (AC:L), and the scope is changed, meaning the vulnerability affects resources beyond the vulnerable component (S:C). While confidentiality and integrity impacts are rated as low (C:L/I:L) and availability is not impacted (A:N), the combination of ease of exploitation and cross-site scope elevates this to HIGH severity. In a real-world context, the actual impact could be higher if the attacker leverages the XSS to steal session tokens or inject persistent backdoors.
Frequently asked questions
Does this vulnerability affect my site if I haven't enabled the show_complete_user_agent_tooltip setting?
The vulnerability exists in your plugin code, but it will not be exploitable if the show_complete_user_agent_tooltip setting remains disabled (the default state). However, you should still patch your plugin as soon as possible, since the setting could be accidentally enabled or an attacker could potentially enable it if they gain administrative access through another means.
Can an attacker exploit this without the plugin being active?
No. The plugin must be installed and activated on the WordPress site for this vulnerability to be exploitable. If SlimStat Analytics is not installed, your site is not affected by this CVE.
What should I do if I suspect my site has already been compromised by this vulnerability?
Check your WordPress user accounts for unauthorized admin or editor accounts, review recent database changes and file modifications using security plugins or forensic tools, and check your analytics logs for suspicious User-Agent entries. You may want to engage a WordPress security professional or incident responder to thoroughly audit the site and clean any backdoors. Also invalidate all active user sessions and force password resets.
Is there a workaround besides disabling the plugin or waiting for a patch?
The most effective workaround is to disable the show_complete_user_agent_tooltip setting in the SlimStat Analytics configuration. This will prevent the vulnerability from being exploited even though the vulnerable code remains. However, the proper long-term fix is to apply the security patch once it becomes available.
This analysis is based on publicly disclosed vulnerability information and vendor advisories as of the publication date. Security researchers and organizations should verify patch availability and compatibility within their specific environments before deployment. The information provided is for educational and defensive security purposes. For the most current patch status and remediation guidance, consult the official SlimStat Analytics vendor advisory and the WordPress plugin repository. SEC.co makes no warranty regarding the completeness or accuracy of security research and strongly recommends independent verification of all vulnerability details and remediation steps. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)