Refine your search
2 vulnerabilities found for Visitor Traffic Real Time Statistics by wp-buy
CVE-2026-2936 (GCVE-0-2026-2936)
Vulnerability from cvelistv5
Published
2026-04-04 11:16
Modified
2026-04-08 17:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wp-buy | Visitor Traffic Real Time Statistics |
Version: 0 ≤ 8.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T13:29:56.487743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T13:30:10.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visitor Traffic Real Time Statistics",
"vendor": "wp-buy",
"versions": [
{
"lessThanOrEqual": "8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027page_title\u0027 parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:58.176Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8e86b0-5e06-44e0-a94c-b05581f46e5a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3466230/visitors-traffic-real-time-statistics"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-21T00:39:41.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-03T22:10:48.000Z",
"value": "Disclosed"
}
],
"title": "Visitor Traffic Real Time Statistics \u003c= 8.4 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2936",
"datePublished": "2026-04-04T11:16:16.954Z",
"dateReserved": "2026-02-21T09:23:23.031Z",
"dateUpdated": "2026-04-08T17:18:58.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24193 (GCVE-0-2021-24193)
Vulnerability from cvelistv5
Published
2021-05-14 11:38
Modified
2024-08-03 19:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wp-buy | Visitor Traffic Real Time Statistics |
Version: 2.12 < 2.12 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visitor Traffic Real Time Statistics",
"vendor": "wp-buy",
"versions": [
{
"lessThan": "2.12",
"status": "affected",
"version": "2.12",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bugbang"
}
],
"descriptions": [
{
"lang": "en",
"value": "Low privileged users can use the AJAX action \u0027cp_plugins_do_button_job_later_callback\u0027 in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:16.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Visitor Traffic Real Time Statistics \u003c 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24193",
"STATE": "PUBLIC",
"TITLE": "Visitor Traffic Real Time Statistics \u003c 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visitor Traffic Real Time Statistics",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.12",
"version_value": "2.12"
}
]
}
}
]
},
"vendor_name": "wp-buy"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bugbang"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Low privileged users can use the AJAX action \u0027cp_plugins_do_button_job_later_callback\u0027 in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24193",
"datePublished": "2021-05-14T11:38:16.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}