CVE-2026-6275

Vulnerability

The StatCounter – Free Real Time Visitor Stats plugin for WordPress versions up to and including 2.1.1 contains a stored cross-site scripting (XSS) vulnerability in the statcounter_addToTags() function [1][4]. This function is hooked to wp_head and executes on every single post page. It retrieves the post author's nickname via the_author_meta() and directly echoes it into a JavaScript double-quoted string context inside a ` block without applying esc_js()` or any equivalent JavaScript-context escaping [2][3]. The insufficient output escaping allows an attacker to inject arbitrary JavaScript.

Exploitation

An authenticated attacker with at least Author-level access can set their nickname to a malicious JavaScript payload (e.g., ");alert(1);//). When the attacker publishes a post, the statcounter_addToTags() function outputs the unsanitized nickname into the page's `` block. Any user—including unauthenticated visitors—who views that post will have the injected script executed in their browser. No additional user interaction beyond viewing the post is required.

Impact

Successful exploitation results in stored cross-site scripting (XSS) that executes in the context of the victim's browser session. An attacker can perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing the page. The attack affects all visitors to the compromised post, and the injected script persists until the post author's nickname is sanitized or the plugin is updated.

Mitigation

The vulnerability exists in versions up to and including 2.1.1. As of the publication date (2026-05-29), no patched version has been released. The vendor has not yet provided a fix. As a workaround, site administrators can restrict Author-level users from setting arbitrary nicknames or disable the plugin until an update is available. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.