WP Statistics – Simple, privacy-friendly Google Analytics alternative WordPress Plugin Security Vulnerabilities | WPScan

32

December 1, 2025

600000

Published

2025-09-26

Title

WP Statistics < 14.15.5 - Unauthenticated Stored XSS via User-Agent Header

Fixed in

Fixed in 14.15.5

CVSS

7.2 (high)

Published

2025-08-14

Title

WP Statistics < 14.15.2 - Missing Authorization

Fixed in

Fixed in 14.15.2

CVSS

4.3 (medium)

Published

2025-04-29

Title

WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin < 14.13.4 - Subscriber+ Arbitrary Plugin Settings Update

Fixed in

Fixed in 14.13.4

CVSS

6.5 (medium)

Published

2024-03-11

Title

WP Statistics < 14.5.1 - Unauthenticated Stored Cross-Site Scripting

Fixed in

Fixed in 14.5.1

CVSS

7.2 (high)

Published

2023-03-06

Title

WP Statistics < 14.0 - Authenticated SQLi

Fixed in

Fixed in 14.0

CVSS

7.7 (high)

Published

2023-01-31

Title

WP Statistics < 13.2.11 - Subscriber+ SQLi

Fixed in

Fixed in 13.2.11

CVSS

7.7 (high)

Published

2022-12-27

Title

WP Statistics < 13.2.9 - Authenticated SQLi

Fixed in

Fixed in 13.2.9

CVSS

7.7 (high)

Published

2022-05-24

Title

WP Statistic < 13.2.2 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 13.2.2

CVSS

3.4 (low)

Published

2022-05-10

Title

WP Statistics < 13.2.2 - Reflected Cross-Site Scripting

Fixed in

Fixed in 13.2.2

CVSS

3.4 (low)

Published

2022-02-17

Title

WP Statistics < 13.1.6 - Multiple Unauthenticated Stored Cross-Site Scripting

Fixed in

Fixed in 13.1.6

CVSS

7.2 (high)

Published

2022-02-16

Title

WP Statistic < 13.1.6 - Reflected Cross-Site Scripting

Fixed in

Fixed in 13.1.6

CVSS

6.1 (medium)

Published

2022-02-16

Title

WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_id

Fixed in

Fixed in 13.1.6

CVSS

9.8 (critical)

Published

2022-02-16

Title

WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via IP

Fixed in

Fixed in 13.1.6

CVSS

9.8 (critical)

Published

2022-02-16

Title

WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type

Fixed in

Fixed in 13.1.6

CVSS

9.8 (critical)

Published

2022-02-10

Title

WP Statistics < 13.1.5 - Unauthenticated Blind SQL Injection

Fixed in

Fixed in 13.1.5

CVSS

9.8 (critical)

Published

2021-09-11

Title

WP Statistics < 13.1.2 - Arbitrary Plugin Activation/Deactivation via CSRF

Fixed in

Fixed in 13.1.2

CVSS

6.5 (medium)

Published

2021-08-30

Title

WP Statistic < 13.1 - Reflected Cross-Site Scripting (XSS)

Fixed in

Fixed in 13.1

CVSS

8.8 (high)

Published

2021-05-19

Title

WP Statistics < 13.0.8 - Unauthenticated SQL Injection

Fixed in

Fixed in 13.0.8

CVSS

7.5 (high)

Published

2019-07-03

Title

WP Statistics < 12.6.7 - Unauthenticated Stored XSS Under Certain Configurations

Fixed in

Fixed in 12.6.7

CVSS

n/a

Published

2019-07-01

Title

WP Statistics < 12.6.7 - Unauthenticated Blind SQL Injection

Fixed in

Fixed in 12.6.7

CVSS

9.8 (critical)

Published

2019-05-30

Title

WP Statistics < 12.6.6.1 - Authenticated Stored XSS

Fixed in

Fixed in 12.6.6.1

CVSS

5.4 (medium)

Published

2019-04-09

Title

WP Statistics <= 12.6.3 - Referer Cross-Site Scripting (XSS)

Fixed in

Fixed in 12.6.4

CVSS

6.1 (medium)

Published

2017-07-07

Title

WP Statistics <= 12.0.9 - Authenticated Cross-Site Scripting (XSS)

Fixed in

Fixed in 12.0.10

CVSS

6.1 (medium)

Published

2017-07-03

Title

WP Statistics < 12.0.9 - Authenticated Reflected Cross-Site Scripting (XSS)

Fixed in

Fixed in 12.0.9

CVSS

n/a

Published

2017-06-30

Title

WP Statistics <= 12.0.7 - Authenticated SQL Injection

Fixed in

Fixed in 12.0.8

CVSS

9.8 (critical)

Published

2017-04-10

Title

WP Statistics <= 12.0.4 - Reflected Cross-Site Scripting (XSS)

Fixed in

Fixed in 12.0.5

CVSS

6.1 (medium)

Published

2015-08-10

Title

WP Statistics <= 9.5.1 - Referer Cross-Site Scripting (XSS)

Fixed in

Fixed in 9.5.2

CVSS

n/a

Published

2015-07-09

Title

WP Statistics <= 9.4 - Authenticated SQL Injection

Fixed in

Fixed in 9.4.1

CVSS

n/a

Published

2015-04-15

Title

WP Statistics <= 9.1.2 - Authenticated Stored Cross-Site Scripting (XSS)

Fixed in

Fixed in 9.1.3

CVSS

n/a

Published

2014-12-03

Title

WP Statistics <= 8.4 - Unauthenticated Referer Header Stored XSS

Fixed in

Fixed in 8.5

CVSS

n/a

Published

2014-11-20

Title

WP Statistics <= 8.3 - Stored & Reflected Cross-Site Scripting (XSS)

Fixed in

Fixed in 8.3.1

CVSS

n/a

Published

2012-05-15

Title

WP Statistics <= 2.2.4 - Cross-Site Scripting (XSS)

Fixed in

Fixed in 2.2.5

CVSS

n/a