WP Statistics < 14.16.5 – Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter | CVE 2026-5231 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_source value into the source_name field when a wildcard channel domain matches, and the chart renderer later inserts this value into legend markup via innerHTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in admin pages that will execute whenever an administrator accesses the Referrals Overview or Social Media analytics pages.

Affects Plugins

Fixed in 14.16.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9b350b48-05ba-4054-895f-36d7ad71459d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

aa9443e7-09f4-45d9-a5c1-c5f4be97c2ff

Timeline

Publicly Published

2026-04-16 (about 27 days ago)

Added

2026-04-16 (about 26 days ago)

Last Updated

2026-04-16 (about 26 days ago)

Other

Published

Title

Published

2025-02-17

Title

WP-FormAssembly < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-01-30

Title

Kona Gallery Block <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-24

Title

Bold Page Builder < 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-15

Title

Awesome Contact Form7 for Elementor < 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Brisk - Unspecified XSS