CVE-2026-8943

Vulnerability

The GoStats for WordPress plugin in all versions up to and including 1.4 is vulnerable to Cross-Site Request Forgery (CSRF). The gostats_manage() function lacks proper nonce validation on the settings update action, as seen in the source code [1][2]. This enables an attacker to modify the gostats_siteid and gostats_server options without authentication, provided they can trick a site administrator into clicking a malicious link or visiting a crafted page.

Exploitation

An unauthenticated attacker crafts a request containing updated values for gostats_siteid and gostats_server parameters and delivers it via social engineering (e.g., a hidden image tag in an email or forum post). If a logged-in administrator triggers the request—such as by clicking a link—the plugin processes the update without checking a nonce, altering the plugin's configuration [1][2]. No additional privileges or authentication are required from the attacker beyond the ability to deliver the forged request.

Impact

Successful exploitation allows the attacker to change the plugin's Site ID and server settings. This can redirect the analytics data to an attacker-controlled GoStats account, potentially exposing site traffic data or disrupting legitimate analytics collection. The impact is limited to plugin configuration integrity; no direct file write, remote code execution, or privilege escalation is achieved.

Mitigation

The vulnerability exists in all versions up to 1.4, and no patched version has been released as of the advisory date [1][2]. Site administrators should disable or remove the plugin until a security update addressing the missing nonce validation is available. There is no workaround provided. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog at this time.