CVE-2026-3488 - Vulnerability Details

Vendors	Products
Veronalabs	Wp Statistics – Simple, Privacy-friendly Google Analytics Alternative
Wordpress	Wordpress

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/includes/admin/class-wp-statistics-admin-ajax.php#L310
https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/FilterHandler/FilterManager.php#L62
https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L21
https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L41
https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/includes/admin/class-wp-statistics-admin-ajax.php#L310
https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Admin/FilterHandler/FilterManager.php#L62
https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L21
https://plugins.trac.wordpress.org/changeset/3483860/wp-statistics/trunk/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/b1938ba4-ced7-455b-8772-a192d9cb0897?source=cve

Type	Values Removed	Values Added
First Time appeared		Veronalabs Veronalabs wp Statistics – Simple, Privacy-friendly Google Analytics Alternative Wordpress Wordpress wordpress
Vendors & Products		Veronalabs Veronalabs wp Statistics – Simple, Privacy-friendly Google Analytics Alternative Wordpress Wordpress wordpress

Type	Values Removed	Values Added
Description		The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_updatePrivacyStatus`, and `wp_statistics_dismiss_notices`. These endpoints only verify a `wp_rest` nonce via `check_ajax_referer()` but do not enforce any capability checks such as `current_user_can()` or the plugin's own `User::Access()` method. Since the `wp_rest` nonce is available to all authenticated WordPress users, this makes it possible for authenticated attackers, with Subscriber-level access and above, to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), retrieve and modify privacy audit compliance status, and dismiss administrative notices.
Title		WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/includes/admin/class-wp-statistics-admin-ajax.php#L310 https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/FilterHandler/FilterManager.php#L62 https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L21 https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L41 https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/includes/admin/class-wp-statistics-admin-ajax.php#L310 https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Admin/FilterHandler/FilterManager.php#L62 https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L21 https://plugins.trac.wordpress.org/changeset/3483860/wp-statistics/trunk/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php https://www.wordfence.com/threat-intel/vulnerabilities/id/b1938ba4-ced7-455b-8772-a192d9cb0897?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3488", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-03T15:44:08.198Z", "datePublished": "2026-04-17T01:24:37.967Z", "dateUpdated": "2026-04-17T01:24:37.967Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T01:24:37.967Z"}, "affected": [{"vendor": "veronalabs", "product": "WP Statistics \u2013 Simple, privacy-friendly Google Analytics alternative", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "14.16.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_updatePrivacyStatus`, and `wp_statistics_dismiss_notices`. These endpoints only verify a `wp_rest` nonce via `check_ajax_referer()` but do not enforce any capability checks such as `current_user_can()` or the plugin's own `User::Access()` method. Since the `wp_rest` nonce is available to all authenticated WordPress users, this makes it possible for authenticated attackers, with Subscriber-level access and above, to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), retrieve and modify privacy audit compliance status, and dismiss administrative notices."}], "title": "WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1938ba4-ced7-455b-8772-a192d9cb0897?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/FilterHandler/FilterManager.php#L62"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L41"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/includes/admin/class-wp-statistics-admin-ajax.php#L310"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Admin/FilterHandler/FilterManager.php#L62"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/includes/admin/class-wp-statistics-admin-ajax.php#L310"}, {"url": "https://plugins.trac.wordpress.org/changeset/3483860/wp-statistics/trunk/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "timeline": [{"time": "2026-03-03T15:59:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T13:23:33.000Z", "lang": "en", "value": "Disclosed"}]}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_updatePrivacyStatus`, and `wp_statistics_dismiss_notices`. These endpoints only verify a `wp_rest` nonce via `check_ajax_referer()` but do not enforce any capability checks such as `current_user_can()` or the plugin's own `User::Access()` method. Since the `wp_rest` nonce is available to all authenticated WordPress users, this makes it possible for authenticated attackers, with Subscriber-level access and above, to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), retrieve and modify privacy audit compliance status, and dismiss administrative notices."}], "id": "CVE-2026-3488", "lastModified": "2026-04-17T02:16:05.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-04-17T02:16:05.707", "references": [{"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/includes/admin/class-wp-statistics-admin-ajax.php#L310"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/FilterHandler/FilterManager.php#L62"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L21"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/tags/14.16.1/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L41"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/includes/admin/class-wp-statistics-admin-ajax.php#L310"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Admin/FilterHandler/FilterManager.php#L62"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/wp-statistics/trunk/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php#L21"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/changeset/3483860/wp-statistics/trunk/src/Service/Admin/PrivacyAudit/PrivacyAuditController.php"}, {"source": "[email protected]", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1938ba4-ced7-455b-8772-a192d9cb0897?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object