{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4303", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T20:17:07.038Z", "datePublished": "2026-04-08T09:25:49.220Z", "dateUpdated": "2026-04-08T18:48:12.685Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:10.815Z"}, "affected": [{"vendor": "osamaesh", "product": "WP Visitor Statistics (Real Time Traffic)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsm_showDayStatsGraph' shortcode in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Visitor Statistics (Real Time Traffic) <= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3b6916d3-3944-43a2-8d5e-424f86c753ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_statistics.php#L2392"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_init.php#L208"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_init.php#L208"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_statistics.php#L2392"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_statistics.php#L2272"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_statistics.php#L2272"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3498538%40wp-stats-manager&new=3498538%40wp-stats-manager&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-03-19T15:00:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T20:50:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:47:36.221847Z", "id": "CVE-2026-4303", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:48:12.685Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4303", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T18:47:36.221847Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:48:02.517Z"}}], "cna": {"title": "WP Visitor Statistics (Real Time Traffic) <= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "osamaesh", "product": "WP Visitor Statistics (Real Time Traffic)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-19T15:00:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T20:50:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3b6916d3-3944-43a2-8d5e-424f86c753ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_statistics.php#L2392"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_init.php#L208"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_init.php#L208"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_statistics.php#L2392"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_statistics.php#L2272"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_statistics.php#L2272"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3498538%40wp-stats-manager&new=3498538%40wp-stats-manager&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsm_showDayStatsGraph' shortcode in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:10.815Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4303", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:48:12.685Z", "dateReserved": "2026-03-16T20:17:07.038Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T09:25:49.220Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsm_showDayStatsGraph' shortcode in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4303", "lastModified": "2026-04-24T18:05:09.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T10:16:02.173", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_init.php#L208"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_statistics.php#L2272"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/tags/8.4/includes/wsm_statistics.php#L2392"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_init.php#L208"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_statistics.php#L2272"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-stats-manager/trunk/includes/wsm_statistics.php#L2392"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3498538%40wp-stats-manager&new=3498538%40wp-stats-manager&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3b6916d3-3944-43a2-8d5e-424f86c753ad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.4]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "WP Visitor Statistics (Real Time Traffic)", "source": "cna", "vendor": "osamaesh"}, "product": "wp_visitor_statistics_(real_time_traffic)", "vendor": "osama.esh"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:20:49.864470+00:00", "value": {"mitigation_remediation": ["Update the WP Visitor Statistics (Real Time Traffic) plugin to the latest version or uninstall it if no upgrade is available.", "If an immediate update is not possible, revoke contributor or higher privileges from users who do not need them to limit potential attackers.", "Review and update all other WordPress plugins for similar XSS vulnerabilities and apply vendor patches promptly."], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting allowing authenticated users to inject and execute malicious scripts in other users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all releases of the WP Visitor Statistics (Real Time Traffic) plugin up to and including version 8.4, distributed by the vendor osamaesh. Any WordPress site that has installed this plugin and has users with contributor or higher roles is potentially affected.", "description_and_impact": "The WP Visitor Statistics (Real Time Traffic) WordPress plugin contains a stored cross\u2011site scripting weakness in the wsm_showDayStatsGraph shortcode. The plugin fails to sanitize or escape the user\u2011supplied \"height\" attribute, enabling attackers with contributor\u2011level or higher privileges to embed arbitrary JavaScript into pages. This represents a classic reflected XSS flaw (CWE\u201179) that can compromise user confidentiality and session integrity.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated user with contribution rights to insert the malicious attribute; once inserted, the script runs whenever any visitor loads the affected page. Because the flaw leads to arbitrary code execution in the context of the victim\u2019s browser, it can result in session hijacking, data theft, or defacement. With a moderate probability of exploitation, deploying a patch or mitigating the attack surface is strongly recommended."}}}}, "created": "2026-04-08T19:27:18.211209+00:00", "updated": "2026-04-08T19:39:56.096686+00:00", "vendors": ["osama.esh", "osama.esh$PRODUCT$wp_visitor_statistics_(real_time_traffic)", "wordpress", "wordpress$PRODUCT$wordpress"]}