Description
The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter_addToTags() function. The function is hooked to wp_head and fires on every single post page. It retrieves the post author's nickname via the_author_meta() and echoes it directly into a JavaScript double-quoted string context inside a <script> block without applying esc_js() or any equivalent JavaScript-context escaping. This makes it possible for authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages that will execute whenever any user (including unauthenticated visitors) accesses a post authored by the attacker.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
Any version
Timeline
| 2026-05-28: | Disclosed |
Credits
ZAST.AI
References
www.wordfence.com/...-7f7b-43e6-8439-6dc00a889344?source=cve
plugins.trac.wordpress.org/...atCounter-Wordpress-Plugin.php
plugins.trac.wordpress.org/...atCounter-Wordpress-Plugin.php
plugins.trac.wordpress.org/...atCounter-Wordpress-Plugin.php
plugins.trac.wordpress.org/...atCounter-Wordpress-Plugin.php
plugins.trac.wordpress.org/...lugin-for-wordpress/tags/2.1.2