CVE-2026-3488 MEDIUM

CVE-2026-3488: WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation

Vendor Veronalabs

Product WP Statistics – Simple, privacy-friendly Google Analytics alternative

Weakness CWE-862 · Missing authorization

Published April 17, 2026

Last update April 17, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_updatePrivacyStatus`, and `wp_statistics_dismiss_notices`. These endpoints only verify a `wp_rest` nonce via `check_ajax_referer()` but do not enforce any capability checks such as `current_user_can()` or the plugin's own `User::Access()` method. Since the `wp_rest` nonce is available to all authenticated WordPress users, this makes it possible for authenticated attackers, with Subscriber-level access and above, to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), retrieve and modify privacy audit compliance status, and dismiss administrative notices.

Explanation of Vulnerability in Simple Terms

02Summary

WP Statistics versions 14.16.4 and earlier lack proper access controls on certain functions, allowing unauthenticated attackers to read and modify site analytics data. The vulnerability requires no user interaction and can be exploited over the network. Site administrators should update to a version newer than 14.16.4 to prevent unauthorized access to statistics.

What an attacker can do

03Attacker Capabilities

Read and modify site analytics data without logging in.

Potential impact on your site

04Site Impact

Attackers can view and alter your site's traffic statistics and analytics records.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 17, 2026 CVE published

April 17, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3488 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

Identifiers

CVE CVE-2026-3488

CWE CWE-862

CVSS 6.5 / MEDIUM

Affected versions