cleantalk
Vulnerabilities and Security Researches

StatCounter – Free Real Time Visitor Stats, CVE-2026-6275

CVE, Research URL

CVE-2026-6275

Home page URL

Security reports for StatCounter – Free Real Time Visitor Stats

Application

StatCounter – Free Real Time Visitor Stats

Published on
May 29, 2026
Research Description
The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter_addToTags() function. The function is hooked to wp_head and fires on every single post page. It retrieves the post author's nickname via the_author_meta() and echoes it directly into a JavaScript double-quoted string context inside a <script> block without applying esc_js() or any equivalent JavaScript-context escaping. This makes it possible for authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages that will execute whenever any user (including unauthenticated visitors) accesses a post authored by the attacker.
Affected versions
max 2.1.2.
Status
vulnerable
Previous vulnerability researches
Poll Maker &#8211; Best WordPress Poll Plugin (CVE-2023-50904) , Jun 10, 2024
Poll Maker &#8211; Best WordPress Poll Plugin (CVE-2024-56295) , Jan 17, 2025
Poll Maker &#8211; Best WordPress Poll Plugin (CVE-2025-12620) , Dec 11, 2025
Poll Maker &#8211; Best WordPress Poll Plugin (CVE-2024-9462) , Oct 27, 2024
Poll Maker &#8211; Best WordPress Poll Plugin (CVE-2024-9475) , Oct 27, 2024
New vulnerability
StatCounter &#8211; Free Real Time Visitor Stats (CVE-2026-6275) , May 31, 2026
Post Snippets &#8211; Custom WordPress Code Snippets Customizer (CVE-2026-7430) , May 31, 2026
Poll Maker &#8211; Best WordPress Poll Plugin (CVE-2026-8995) , May 31, 2026
Login with phone number (CVE-2026-3655) , May 31, 2026
Spectra &#8211; WordPress Gutenberg Blocks (CVE-2026-7465) , May 31, 2026