VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Dec 11, 2025

NewStatPress Vulnerabilities

Review known vulnerability records for the WordPress plugin NewStatPress (`newstatpress`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-13747, CVE-2022-0206 and CVE-2017-18575, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
5
Patch Coverage
100%
Last Updated
Jan 08, 2026
Priority CVE Quick Links

Fast paths into NewStatPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
10
CVE-2015-9313 Critical 1.0.6
CVE-2015-9313 NewStatPress SQL Injection

NewStatPress < 1.0.6 - SQL Injection

CVE-2015-9315 Critical 1.0.1
CVE-2015-9315 NewStatPress SQL Injection

NewStatPress <= 1.0.0 - SQL Injection

CVE-2015-4062 High 0.9.9
CVE-2015-4062 NewStatPress SQL Injection

NewStatPress <= 0.9.8 - Authenticated SQL Injection

CVE-2017-18575 High 1.2.5
CVE-2017-18575 NewStatPress Stored Cross-Site Scripting

NewStatPress < 1.2.5 - Unauthenticated Stored Cross-Site Scripting

CVE-2015-9314 High 1.0.4
CVE-2015-9314 NewStatPress Stored Cross-Site Scripting

NewStatPress <= 1.0.3 - Stored Cross-Site Scripting

CVE-2025-13747 Medium 1.4.4
CVE-2025-13747 NewStatPress Stored Cross-Site Scripting

NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2022-0206 Medium 1.3.6
CVE-2022-0206 NewStatPress Cross-Site Scripting

NewStatPress <= 1.3.5 - Reflected Cross-Site Scripting

CVE-2015-9312 Medium 1.0.6
CVE-2015-9312 NewStatPress Cross-Site Scripting

NewStatPress < 1.0.6 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for NewStatPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
10 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 3 high severity findings.
Recent CVEs
CVE-2025-13747, CVE-2022-0206 and CVE-2017-18575
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for NewStatPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-13747
CVE-2025-13747: NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

Published
Dec 11, 2025
Patched Release
1.4.4
Affected Versions
Versions up to 1.4.3
Next Step
Update to 1.4.4 or newer if supported.
Open CVE-2025-13747 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-0206
CVE-2022-0206: NewStatPress <= 1.3.5 - Reflected Cross-Site Scripting

The NewStatPress WordPress plugin before 1.3.6 does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Published
Jan 13, 2022
Patched Release
1.3.6
Affected Versions
Versions before 1.3.6
Next Step
Update to 1.3.6 or newer if supported.
Open CVE-2022-0206 Report Open CVE Reference
Plugin High Patched: Yes CVE-2017-18575
CVE-2017-18575: NewStatPress < 1.2.5 - Unauthenticated Stored Cross-Site Scripting

The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

Published
Mar 01, 2017
Patched Release
1.2.5
Affected Versions
Versions before 1.2.5
Next Step
Update to 1.2.5 or newer if supported.
Open CVE-2017-18575 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2015-9312
CVE-2015-9312: NewStatPress < 1.0.6 - Reflected Cross-Site Scripting

The NewStatPress plugin before 1.0.6 for WordPress has XSS related to an IMG element.

Published
Jul 07, 2015
Patched Release
1.0.6
Affected Versions
Versions before 1.0.6
Next Step
Update to 1.0.6 or newer if supported.
Open CVE-2015-9312 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2015-9313
CVE-2015-9313: NewStatPress < 1.0.6 - SQL Injection

The newstatpress plugin before 1.0.6 for WordPress has SQL injection related to an IMG element.

Published
Jul 07, 2015
Patched Release
1.0.6
Affected Versions
Versions before 1.0.6
Next Step
Update to 1.0.6 or newer if supported.
Open CVE-2015-9313 Report Open CVE Reference
Plugin High Patched: Yes CVE-2015-9314
CVE-2015-9314: NewStatPress <= 1.0.3 - Stored Cross-Site Scripting

The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Referer header in versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

Published
Jun 30, 2015
Patched Release
1.0.4
Affected Versions
Versions up to 1.0.3
Next Step
Update to 1.0.4 or newer if supported.
Open CVE-2015-9314 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2015-9311
CVE-2015-9311: NewStatPress <= 1.0.6 - Reflected Cross-Site Scripting

The NewStatPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'limitquery' parameter in versions up to, and including,1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a...

Published
Jun 25, 2015
Patched Release
1.0.7
Affected Versions
Versions up to 1.0.6
Next Step
Update to 1.0.7 or newer if supported.
Open CVE-2015-9311 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2015-9315
CVE-2015-9315: NewStatPress <= 1.0.0 - SQL Injection

The NewStatPress plugin for WordPress is vulnerable to generic SQL Injection in versions up to, and including, 1.0.0 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticate...

Published
Jun 08, 2015
Patched Release
1.0.1
Affected Versions
Versions up to 1.0.0
Next Step
Update to 1.0.1 or newer if supported.
Open CVE-2015-9315 Report Open CVE Reference
Plugin High Patched: Yes CVE-2015-4062
CVE-2015-4062: NewStatPress <= 0.9.8 - Authenticated SQL Injection

SQL injection vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php.

Published
May 25, 2015
Patched Release
0.9.9
Affected Versions
Versions up to 0.9.8
Next Step
Update to 0.9.9 or newer if supported.
Open CVE-2015-4062 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2015-4063
CVE-2015-4063: NewStatPress <= 0.9.8 - Authenticated Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php.

Published
May 25, 2015
Patched Release
0.9.9
Affected Versions
Versions up to 0.9.8
Next Step
Update to 0.9.9 or newer if supported.
Open CVE-2015-4063 Report Open CVE Reference