{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2936", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-21T09:23:23.031Z", "datePublished": "2026-04-04T11:16:16.954Z", "dateUpdated": "2026-04-08T17:18:58.176Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:58.176Z"}, "affected": [{"vendor": "wp-buy", "product": "Visitor Traffic Real Time Statistics", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section."}], "title": "Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8e86b0-5e06-44e0-a94c-b05581f46e5a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3466230/visitors-traffic-real-time-statistics"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-02-04T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-21T00:39:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T22:10:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:29:56.487743Z", "id": "CVE-2026-2936", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:30:10.434Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2936", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T13:29:56.487743Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:30:03.412Z"}}], "cna": {"title": "Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wp-buy", "product": "Visitor Traffic Real Time Statistics", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-04T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-21T00:39:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T22:10:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8e86b0-5e06-44e0-a94c-b05581f46e5a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3466230/visitors-traffic-real-time-statistics"}], "descriptions": [{"lang": "en", "value": "The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-04T11:16:16.954Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2936", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:30:10.434Z", "dateReserved": "2026-02-21T09:23:23.031Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T11:16:16.954Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section."}], "id": "CVE-2026-2936", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T12:16:03.090", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3466230/visitors-traffic-real-time-statistics"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8e86b0-5e06-44e0-a94c-b05581f46e5a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Visitor Traffic Real Time Statistics", "source": "cna", "vendor": "wp-buy"}, "product": "visitor_traffic_real_time_statistics", "vendor": "wp-buy"}], "analysis": {"en": {"generated_at": "2026-04-04T13:21:07.928741+00:00", "value": {"mitigation_remediation": ["Update Visitor Traffic Real Time Statistics to a version newer than 8.4 or remove the plugin if it is not needed", "If an update is unavailable, restrict the page_title parameter to authenticated users only or block public access to the page that accepts the parameter", "After applying the update or removal, review the database for any remaining malicious script entries and delete them", "Disable or limit administrative access from untrusted networks using firewall or web\u2011application\u2011gateway rules", "Monitor admin activity logs for signs of unauthorized script execution or session hijacking"], "summary": {"action": "Apply Patch", "impact": "Stored Cross-Site Scripting leading to compromised admin sessions"}, "threat_synthesis": {"affected_systems": "The plugin 'Visitor Traffic Real Time Statistics' from wp-buy is affected in all released versions up to and including 8.4. No other vendors or products are listed as impacted.", "description_and_impact": "The vulnerability resides in the Visitor Traffic Real Time Statistics WordPress plugin and allows an attacker who can send arbitrary data to the 'page_title' parameter to store malicious scripts. Because the input is not properly sanitized and the output is not escaped, those scripts are saved in the database and run each time an administrator visits the Traffic by Title page. This stored cross\u2011site scripting can enable an attacker to hijack the admin session, deface the site, or perform other malicious actions within the context of an authenticated user.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, and EPSS data is not available, but the lack of a KEV listing does not diminish the risk for sites still using the vulnerable plugin version. The flaw is exploitable by anyone with network access to the site, as the injection occurs via a public parameter. An attacker simply needs to submit a crafted request containing malicious script content; upon the next admin view of the Traffic by Title section, the script executes with the privileges of the administrator. The potential impact ranges from session hijacking to full compromise of the administrative interface. "}}}}, "created": "2026-04-06T20:27:27.912731+00:00", "updated": "2026-04-06T22:20:46.584572+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp-buy", "wp-buy$PRODUCT$visitor_traffic_real_time_statistics"]}