The SlimStat Analytics plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in versions up to 5.4.11. The vulnerability exists in the User-Agent header processing due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when users access injected pages. The vulnerability requires the show_complete_user_agent_tooltip setting to be enabled by an administrator for exploitation, though this setting is disabled by default.