CVE-2026-7634

CVE Database · CVE-2026-7634

CVE-2026-7634

· HIGHDeferred

CVSS v3.1

7.2

EPSS

0.30%

Published

May 28, 2026

Modified

May 28, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The show_complete_user_agent_tooltip setting must be explicitly enabled by an administrator (disabled by default) for the stored payload to be rendered and executed.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

References (14)

https://github.com/wp-slimstat/wp-slimstat/pull/297

https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.11/admin/view/wp-slimstat-reports.php#L2099

https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.11/src/Services/Browscap.php#L270

https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.11/src/Tracker/Processor.php#L776

https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.11/src/Tracker/Storage.php#L25

https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.4/admin/view/wp-slimstat-reports.php#L2099

https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.4/src/Services/Browscap.php#L270

https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.4/src/Tracker/Processor.php#L776

https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.4.4/src/Tracker/Storage.php#L25

KEV Catalog EPSS Scores Vendors All CVEs