Security Alert Summary
The Visitor Traffic Real Time Statistics plugin for WordPress is affected by a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject scripts via a page parameter. Injected scripts can execute when an administrator views the Traffic by Title section, potentially exposing low-level confidentiality and integrity risks for admin users.
CVE Details
- CVE ID:
CVE-2026-2936 - Affected component: Visitor Traffic Real Time Statistics plugin for WordPress
- Affected versions: All versions up to and including 8.4
- Published: April 4, 2026 at 12:16 PM
- Last modified: April 4, 2026 at 12:16 PM
- CVSS v3.1 base score: 7.2 — HIGH
- Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- User Interaction: NONE
- Scope: CHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: NONE
- Vector:
- CWE / Weakness: CWE-79 (Cross-site Scripting)
Technical Details
The plugin contains a stored cross-site scripting vulnerability in the page_title parameter. Insufficient input sanitization and missing output escaping allow an unauthenticated attacker to inject arbitrary web scripts into data that is later rendered in the WordPress admin “Traffic by Title” section. When an administrative user views that section, the stored script can execute in the context of the admin’s browser.
The issue exists because values provided to the affected parameter are not properly sanitized on input and are not escaped on output before rendering in the admin interface. The vulnerability is persistent (stored), so the malicious content can remain in plugin data until removed.
How This Could Impact Your Website
Consider a small organization running WordPress with multiple user roles: a site owner, several internal staff members with editor-level access, and an external contractor who contributes content. An unauthenticated attacker could submit a crafted value for the page_title parameter that is stored by the plugin. If an administrator or editor later opens the Traffic by Title view, the injected script can run in their browser.
Practical consequences can include limited disclosure of information visible to the admin account, such as user names or email addresses accessible from the admin interface, and an increased risk of targeted phishing or social engineering against staff whose information is exposed. Because the CVSS impact is limited to low confidentiality and integrity effects with no availability impact, this does not imply full site takeover but does increase the risk of follow-on attacks against administrative users.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and editor accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and admin access logs for unusual behavior, especially access to admin pages by unfamiliar IP addresses or at unusual times.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
