- Published on
-
Apr 17, 2026
- Research Description
-
The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_updatePrivacyStatus`, and `wp_statistics_dismiss_notices`. These endpoints only verify a `wp_rest` nonce via `check_ajax_referer()` but do not enforce any capability checks such as `current_user_can()` or the plugin's own `User::Access()` method. Since the `wp_rest` nonce is available to all authenticated WordPress users, this makes it possible for authenticated attackers, with Subscriber-level access and above, to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), retrieve and modify privacy audit compliance status, and dismiss administrative notices.
- Affected versions
-
max 14.16.5.
Plugin Security Certification
Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Get Plugin Security Certificate
| Previous vulnerability researches |
|
WP Statistics
(CVE-2025-9816)
, Nov 10, 2025
|
|
WP Statistics
(CVE-2026-5231)
, Jun 14, 2026
|
|
WP Statistics
(CVE-2026-3488)
, Jun 14, 2026
|
|
WP Statistics
(CVE-2026-48839)
, Jun 14, 2026
|
|
WP Statistics
, May 27, 2025
|
| New vulnerability |
|
WP Statistics
(CVE-2026-48839)
, Jun 14, 2026
|
|
WP Statistics
(CVE-2026-3488)
, Jun 14, 2026
|
|
WP Statistics
(CVE-2026-5231)
, Jun 14, 2026
|
|
FAQ Manager For Divi, Gutenberg Block & Shortcode
(CVE-2023-33999)
, Jun 14, 2026
|
|
TablePress – Tables in WordPress made easy
(CVE-2023-33999)
, Jun 14, 2026
|