VYPR

Wp Statistics

by WordPress

Source repositories

CVEs (29)

  • CVE-2024-2194HigMar 13, 2024
    risk 0.49cvss 7.2epss 0.68

    The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

  • CVE-2021-4333MedMar 7, 2023
    risk 0.42cvss 6.5epss 0.00

    The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and…

  • CVE-2026-5231HigApr 17, 2026
    risk 0.40cvss 7.2epss 0.00

    The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw…

  • CVE-2025-9816HigSep 27, 2025
    risk 0.40cvss 7.2epss 0.09

    The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This…

  • CVE-2017-10991MedJul 7, 2017
    risk 0.40cvss 6.1epss 0.01

    The WP Statistics plugin through 12.0.9 for WordPress has XSS in the rangestart and rangeend parameters on the wps_referrers_page page.

  • CVE-2017-2147MedApr 28, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in WP Statistics version 12.0.4 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2017-2136MedApr 28, 2017
    risk 0.40cvss 6.1epss 0.03

    Cross-site scripting vulnerability in WP Statistics version 12.0.4 and earlier allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.

  • CVE-2017-2135MedApr 28, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting vulnerability in WP Statistics version 12.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2026-48839HigJun 1, 2026
    risk 0.39cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS. This issue affects WP Statistics: from n/a through 14.16.6.

  • CVE-2022-38074HigMar 13, 2023
    risk 0.39cvss 7.1epss 0.01

    SQL Injection vulnerability in VeronaLabs WP Statistics plugin <= 13.2.10 versions.

  • CVE-2026-3488MedApr 17, 2026
    risk 0.35cvss 6.5epss 0.00

    The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`,…

  • CVE-2025-3953MedApr 30, 2025
    risk 0.28cvss 5.4epss 0.00

    The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it…

  • CVE-2025-55716MedAug 14, 2025
    risk 0.21cvss 4.3epss 0.00

    Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Statistics: from n/a through <= 14.15.

  • CVE-2022-25148Feb 24, 2022
    risk 0.08cvss epss 0.81

    The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL…

  • CVE-2021-24340Jun 7, 2021
    risk 0.07cvss epss 0.27

    The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any…

  • CVE-2022-25149Feb 24, 2022
    risk 0.06cvss epss 0.78

    The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to…

  • CVE-2022-0651Feb 24, 2022
    risk 0.06cvss epss 0.33

    The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL…

  • CVE-2022-0513Feb 16, 2022
    risk 0.03cvss epss 0.53

    The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary…

  • CVE-2022-25305Feb 24, 2022
    risk 0.01cvss epss 0.81

    The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that…

  • CVE-2023-0955Mar 27, 2023
    risk 0.00cvss epss 0.01

    The WP Statistics WordPress plugin before 14.0 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a…

Page 1 of 2