top of page
perceptive_background_267k.jpg

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.1…

Published:

27 May 2026 at 22:00:00

Alert date:

28 May 2026 at 14:02:15

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

The SlimStat Analytics plugin for WordPress contains a stored cross-site scripting vulnerability in all versions up to 5.4.11. The vulnerability exists in the User-Agent header processing due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when users access injected pages. The vulnerability requires the show_complete_user_agent_tooltip setting to be explicitly enabled by an administrator for exploitation, as it is disabled by default. This affects the plugin's analytics functionality and could lead to session hijacking or malicious script execution in WordPress admin panels.

Technical details

Mitigation steps:

Affected products:

SlimStat Analytics WordPress Plugin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-7634
https://github.com/wp-slimstat/wp-slimstat/pull/297
https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.11/admin/view/wp-slimstat-reports.php#L2099
https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.11/src/Services/Browscap.php#L270
https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.11/src/Tracker/Processor.php#L776
https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.11/src/Tracker/Storage.php#L25
https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.4/admin/view/wp-slimstat-reports.php#L2099
https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.4/src/Services/Browscap.php#L270
https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.4/src/Tracker/Processor.php#L776
https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.4/src/Tracker/Storage.php#L25
https://plugins.trac.wordpress.org/browser/wp-slimstat/trunk/admin/view/wp-slimstat-reports.php#L2099
https://plugins.trac.wordpress.org/browser/wp-slimstat/trunk/src/Services/Browscap.php#L270
https://plugins.trac.wordpress.org/browser/wp-slimstat/trunk/src/Tracker/Processor.php#L776
https://plugins.trac.wordpress.org/browser/wp-slimstat/trunk/src/Tracker/Storage.php#L25
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a309bf8-7fe3-4033-993c-3c8dba0f216d?source=cve

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page