{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1238", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T17:06:15.495Z", "datePublished": "2026-03-19T04:27:29.705Z", "dateUpdated": "2026-04-08T17:30:48.873Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:48.873Z"}, "affected": [{"vendor": "veronalabs", "product": "SlimStat Analytics", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.3.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e991fbdf-8e26-4d2e-8e3b-c8990914dcad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.5/admin/view/right-now.php#L185"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.5/wp-slimstat.php#L1948"}, {"url": "https://plugins.trac.wordpress.org/changeset/3477417/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-01-20T18:53:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T16:05:53.975393Z", "id": "CVE-2026-1238", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:06:06.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1238", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T16:05:53.975393Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:06:00.261Z"}}], "cna": {"title": "SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh'", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "veronalabs", "product": "SlimStat Analytics", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.3.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-20T18:53:42.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e991fbdf-8e26-4d2e-8e3b-c8990914dcad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.5/admin/view/right-now.php#L185"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.5/wp-slimstat.php#L1948"}, {"url": "https://plugins.trac.wordpress.org/changeset/3477417/"}], "descriptions": [{"lang": "en", "value": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-19T04:27:29.705Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1238", "state": "PUBLISHED", "dateUpdated": "2026-03-19T16:06:06.309Z", "dateReserved": "2026-01-20T17:06:15.495Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-19T04:27:29.705Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin SlimStat Analytics para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'fh' (huella digital) en todas las versiones hasta la 5.3.5, inclusive, debido a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida deficiente. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1238", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-19T05:15:59.567", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.5/admin/view/right-now.php#L185"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.5/wp-slimstat.php#L1948"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3477417/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e991fbdf-8e26-4d2e-8e3b-c8990914dcad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SlimStat Analytics", "source": "cna", "vendor": "veronalabs"}, "product": "slimstat_analytics", "vendor": "veronalabs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T06:50:54.319937+00:00", "value": {"mitigation_remediation": ["Upgrade SlimStat Analytics to version 5.3.6 or later.", "If an upgrade is not immediately possible, disable or remove the 'fh' parameter from the plugin or block the parameter with a firewall rule to prevent script injection.", "Ensure that WordPress core and all other plugins are updated to their latest secure versions.", "Monitor website logs and user sessions for signs of XSS activity and conduct regular security scans."], "summary": {"action": "Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "The affected product is the SlimStat Analytics plugin from veronalabs. All releases up to and including version 5.3.5 are susceptible; no impact was reported for newer releases in the CVE record.", "description_and_impact": "Key detail from CVE description: The SlimStat Analytics plugin for WordPress is vulnerable to stored cross\u2011site scripting via the 'fh' parameter in all versions up to 5.3.5 due to insufficient input sanitization and output escaping. Attackers who can supply arbitrary values for 'fh' can inject malicious scripts that execute whenever an affected user views the injected page, potentially leading to session hijacking, defacement, or theft of credentials.", "risk_and_exploitability": "The CVSS score for this vulnerability is 7.2, which corresponds to a high severity rating. The EPSS score is not provided and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating no widespread, known exploitation. According to the CVE description the attack vector is unauthenticated input of the 'fh' parameter; an attacker can embed a payload that will execute in the context of any visitor to the affected page. Because the flaw does not require authentication, it poses an elevated risk to all users of the plugin."}}}}, "created": "2026-03-19T08:54:42.304727+00:00", "updated": "2026-03-25T11:55:26.929513+00:00", "vendors": ["veronalabs", "veronalabs$PRODUCT$slimstat_analytics", "wordpress", "wordpress$PRODUCT$wordpress"]}