Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 37 known issues Latest disclosed Apr 16, 2026

WP Statistics – Simple, privacy-friendly Google Analytics alternative Vulnerabilities

Q: How many WP Statistics – Simple, privacy-friendly Google Analytics alternative vulnerabilities have patch guidance?

37 of 37 tracked WP Statistics – Simple, privacy-friendly Google Analytics alternative records include a published patch path.

Review known vulnerability records for the WordPress plugin WP Statistics – Simple, privacy-friendly Google Analytics alternative (`wp-statistics`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-3488, CVE-2026-5231 and CVE-2025-9816, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 17, 2026

Related Security Guides

Use these guides while reviewing WP Statistics – Simple, privacy-friendly Google Analytics alternative fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize WP Statistics – Simple, privacy-friendly Google Analytics alternative remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is wp-statistics before acting on any CVE from this cluster.

2. Sort by Severity

Start with 21 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

37 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2022-0651 Critical

SQL Injection remediation for WP Statistics – Simple, privacy-friendly Google Analytics alternative

Affected range: Versions up to 13.1.5. Fixed version: 13.1.6.

CVE-2022-25149 Critical

SQL Injection remediation for WP Statistics – Simple, privacy-friendly Google Analytics alternative

Affected range: Versions up to 13.1.5. Fixed version: 13.1.6.

CVE-2022-25148 Critical

SQL Injection remediation for WP Statistics – Simple, privacy-friendly Google Analytics alternative

Affected range: Versions up to 13.1.5. Fixed version: 13.1.6.

CVE-2022-0513 Critical

SQL Injection remediation for WP Statistics – Simple, privacy-friendly Google Analytics alternative

Affected range: Versions up to 13.1.4. Fixed version: 13.1.5.

Priority CVE Quick Links

Fast paths into WP Statistics – Simple, privacy-friendly Google Analytics alternative CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2022-0651 WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via current_page_type	SQL Injection	Versions up to 13.1.5	13.1.6	CVSS 9.8
CVE-2022-25149 WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via IP	SQL Injection	Versions up to 13.1.5	13.1.6	CVSS 9.8
CVE-2022-25148 WP Statistics <= 13.1.5 - Unauthenticated SQL Injection	SQL Injection	Versions up to 13.1.5	13.1.6	CVSS 9.8
CVE-2022-0513 WP Statistics <= 13.1.4 - Unauthenticated Blind SQL Injection	SQL Injection	Versions up to 13.1.4	13.1.5	CVSS 9.8
CVE-2019-13275 WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection	SQL Injection	Versions up to 12.6.6.1	12.6.7	CVSS 9.8
CVE-2022-38074 WP Statistics <= 13.2.10 - Authenticated (Subscriber+) SQL Injection	SQL Injection	Versions up to 13.2.10	13.2.11	CVSS 8.8
CVE-2017-18515 WP Statistics <= 12.0.7 - Authenticated SQL Injection	SQL Injection	Versions up to 12.0.7	12.0.8	CVSS 8.8
CVE-2021-24340 WP Statistics <= 13.0.7 - Unauthenticated SQL Injection	SQL Injection	Versions before 13.0.8	13.0.8	CVSS 7.5

CVE-2022-0651 Critical 13.1.6

CVE-2022-0651 WP Statistics – Simple, privacy-friendly Google Analytics alternative SQL Injection

WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via current_page_type

CVE-2022-25149 Critical 13.1.6

CVE-2022-25149 WP Statistics – Simple, privacy-friendly Google Analytics alternative SQL Injection

WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via IP

CVE-2022-25148 Critical 13.1.6

CVE-2022-25148 WP Statistics – Simple, privacy-friendly Google Analytics alternative SQL Injection

WP Statistics <= 13.1.5 - Unauthenticated SQL Injection

CVE-2022-0513 Critical 13.1.5

CVE-2022-0513 WP Statistics – Simple, privacy-friendly Google Analytics alternative SQL Injection

WP Statistics <= 13.1.4 - Unauthenticated Blind SQL Injection

CVE-2019-13275 Critical 12.6.7

CVE-2019-13275 WP Statistics – Simple, privacy-friendly Google Analytics alternative SQL Injection

WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection

CVE-2022-38074 High 13.2.11

CVE-2022-38074 WP Statistics – Simple, privacy-friendly Google Analytics alternative SQL Injection

WP Statistics <= 13.2.10 - Authenticated (Subscriber+) SQL Injection

CVE-2017-18515 High 12.0.8

CVE-2017-18515 WP Statistics – Simple, privacy-friendly Google Analytics alternative SQL Injection

WP Statistics <= 12.0.7 - Authenticated SQL Injection

CVE-2021-24340 High 13.0.8

CVE-2021-24340 WP Statistics – Simple, privacy-friendly Google Analytics alternative SQL Injection

WP Statistics <= 13.0.7 - Unauthenticated SQL Injection

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for WP Statistics – Simple, privacy-friendly Google Analytics alternative so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

37 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

5 critical and 16 high severity findings.

Recent CVEs

CVE-2026-3488, CVE-2026-5231 and CVE-2025-9816

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-3488 Medium Patch path listed

CVE-2026-3488: WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handler...

Published

Apr 16, 2026

Patch Status

14.16.5

Review CVE-2026-3488 affected versions

CVE-2026-5231 High Patch path listed

CVE-2026-5231: WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient...

Published

Apr 16, 2026

Patch Status

14.16.5

Review CVE-2026-5231 affected versions

CVE-2025-9816 High Patch path listed

CVE-2025-9816: WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header

The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and...

Published

Sep 26, 2025

Patch Status

14.15.5

Review CVE-2025-9816 affected versions

Known Vulnerabilities

Reports for WP Statistics – Simple, privacy-friendly Google Analytics alternative

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-3488

CVE-2026-3488: WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_...

Published

Apr 16, 2026

Patched Release

14.16.5

Affected Versions

Versions up to 14.16.4

Next Step

Update to 14.16.5 or newer if supported.

Review CVE-2026-3488 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-5231

CVE-2026-5231: WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_so...

Published

Apr 16, 2026

Patched Release

14.16.5

Affected Versions

Versions up to 14.16.4

Next Step

Update to 14.16.5 or newer if supported.

Review CVE-2026-5231 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2025-9816

CVE-2025-9816: WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header

The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This makes i...

Published

Sep 26, 2025

Patched Release

14.15.5

Affected Versions

Versions up to 14.15.4

Next Step

Update to 14.15.5 or newer if supported.

Review CVE-2025-9816 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-55716

CVE-2025-55716: WP Statistics <= 14.15 - Missing Authorization

The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 14.15. This makes it possible for authenticated attackers, with S...

Published

Aug 14, 2025

Patched Release

14.15.2

Affected Versions

Versions up to 14.15

Next Step

Update to 14.15.2 or newer if supported.

Review CVE-2025-55716 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-3953

CVE-2025-3953: WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update

The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible f...

Published

Apr 29, 2025

Patched Release

14.13.4

Affected Versions

Versions up to 14.13.3

Next Step

Update to 14.13.4 or newer if supported.

Review CVE-2025-3953 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2024-2194

CVE-2024-2194: WP Statistics <= 14.5 - Unauthenticated Stored Cross-Site Scripting

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a...

Published

Mar 11, 2024

Patched Release

14.5.1

Affected Versions

Versions up to 14.5

Next Step

Update to 14.5.1 or newer if supported.

Review CVE-2024-2194 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2023-0955

CVE-2023-0955: WP Statistics <= 13.2.16 - Authenticated (Admin+) SQL Injection

The WP Statistics plugin for WordPress is vulnerable to SQL Injection via the $days_time_list value in versions up to, and including, 13.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it po...

Published

Mar 06, 2023

Patched Release

14.0

Affected Versions

Versions up to 13.2.16

Next Step

Update to 14.0 or newer if supported.

Review CVE-2023-0955 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2022-38074

CVE-2022-38074: WP Statistics <= 13.2.10 - Authenticated (Subscriber+) SQL Injection

The WP Statistics plugin for WordPress is vulnerable to SQL Injection via the ‘limit’ parameter in versions up to, and including, 13.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possib...

Published

Jan 31, 2023

Patched Release

13.2.11

Affected Versions

Versions up to 13.2.10

Next Step

Update to 13.2.11 or newer if supported.

Review CVE-2022-38074 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2022-4230

CVE-2022-4230: WP Statistics <= 13.2.8 - Authenticated (Admin+) SQL Injection

The WP Statistics plugin for WordPress is vulnerable to SQL Injection via the $search_engine value in versions up to, and including, 13.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it poss...

Published

Dec 27, 2022

Patched Release

13.2.9

Affected Versions

Versions up to 13.2.8

Next Step

Update to 13.2.9 or newer if supported.

Review CVE-2022-4230 fixed version details Open CVE Reference

Plugin High Patched: Yes

WP Statistics <= 13.2.5 - Authenticated (Subscriber+) SQL Injection

The WP Statistics plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘agent’ parameter in versions up to, and including, 13.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

Published

Sep 08, 2022

Patched Release

13.2.6

Affected Versions

Versions up to 13.2.5

Next Step

Update to 13.2.6 or newer if supported.

Review WP Statistics – Simple, privacy-friendly Google Analytics alternative vulnerability details

Plugin Medium Patched: Yes

WP Statistics <= 13.2.5 - Information Disclosure

The WP Statistics plugin for WordPress is vulnerable to information disclosure via the Metabox REST API in versions up to, and including, 13.2.5. This allows all authenticated users to access statistics generated by the plugin.

Published

Sep 07, 2022

Patched Release

13.2.6

Affected Versions

13.2.5 through 13.2.5

Next Step

Update to 13.2.6 or newer if supported.

Review WP Statistics – Simple, privacy-friendly Google Analytics alternative vulnerability details

Plugin Medium Patched: Yes CVE-2022-27231

CVE-2022-27231: WP Statistics <= 13.1.7 - Cross-Site Scripting

Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using th...

Published

May 24, 2022

Patched Release

13.2.0

Affected Versions

Versions before 13.2.0

Next Step

Update to 13.2.0 or newer if supported.

Review CVE-2022-27231 fixed version details Open CVE Reference