Introduction
Malicious JavaScript injected through a simple HTTP header can compromise WordPress admin accounts on over 600000 sites. WP Statistics, a widely deployed analytics plugin, is vulnerable to persistent cross-site scripting attacks that require no authentication and can be exploited at scale.
WP Statistics is a privacy-focused analytics plugin for WordPress, developed by VeronaLabs. It is one of the most popular plugins in its category, with over 600000 active installations. The plugin provides site owners with detailed visitor analytics without relying on external services, making it a preferred choice for privacy-conscious administrators.
Technical Information
CVE-2025-9816 is a stored cross-site scripting vulnerability affecting WP Statistics in all versions up to and including 14.5.4. The vulnerability arises from the way the plugin processes and displays the User-Agent header in its device analytics functionality. Specifically, the issue is located in the file /includes/admin/templates/pages/devices/models.php at line 31.
When a visitor sends an HTTP request to a WordPress site running a vulnerable version of WP Statistics, the plugin records the User-Agent header value for analytics purposes. However, the plugin fails to sanitize this input before storing it in the WordPress database. Later, when an administrator views the device analytics page, the stored User-Agent string is rendered directly into the page without output escaping. If the value contains malicious JavaScript, it will execute in the context of the admin user's browser session.
This vulnerability is classified as CWE-79 (Cross-site Scripting) and is a textbook example of stored XSS. The root cause is the absence of input validation and output encoding for User-Agent data in the analytics reporting interface.
A relevant code reference is available in the official plugin repository:
Affected Systems and Versions
- WP Statistics plugin for WordPress
- All versions up to and including 14.5.4
- Any WordPress site with the plugin enabled and analytics device reporting active is vulnerable
Vendor Security History
WP Statistics, developed by VeronaLabs, has a documented history of security issues. According to WPScan, at least 31 vulnerabilities have been reported over the plugin's lifetime, including prior stored XSS and SQL injection flaws. In 2024, CVE-2024-2194 described a similar stored XSS vulnerability. The vendor has released patches for previous issues but recurring problems with input sanitization and output escaping indicate persistent challenges in secure development practices.