CleanTalk's blog

    Sign up

    A critical vulnerability in WP Statistics threatens over 600,000 websites: CleanTalk Research team discovers complete admin panel takeover method

    ·

    ,
    Alexander Avatar
    Alexander

    The CleanTalk Research team has identified a critical vulnerability in the popular WP Statistics plugin (versions up to and including 14.15.3), which is installed on over 600,000 WordPress websites. The vulnerability allows unauthenticated attackers to perform Stored Cross-Site Scripting (XSS), leading to administrative session hijacking, admin panel compromise, and potential code execution on the underlying server OS.

    This Unauthenticated Stored XSS vulnerability operates through the HTTP User-Agent header. Attackers can execute arbitrary JavaScript in the WordPress admin panel, enabling them to steal session tokens and nonces, escalate privileges, create administrator accounts, and potentially expand access to the operating system if additional attack vectors are available. Most critically, no authentication is required—a single HTTP request is sufficient, making mass automated exploitation trivial.

    The WP Statistics development team has released a security update addressing this vulnerability. Website administrators are strongly urged to update WP Statistics to the latest version immediately.

    The CleanTalk Research team specializes in identifying and responsibly disclosing vulnerabilities in popular WordPress plugins and themes. We continue to actively audit plugins and publish technical reports on newly discovered vulnerabilities.

    Stay informed:
    📝 Research Blog: https://research.cleantalk.org/ 
    📱 Telegram Channel: https://t.me/cleantalk_researches/326 


    REFERENCES
    https://research.cleantalk.org/cve-2025-9816/ 
    https://www.cve.org/CVERecord?id=CVE-2025-9816 
    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-statistics/ 
    https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 

    CleanTalk Security Plugin automatically scans your plugins for known vulnerabilities. The plugin monitors the versions of all your installed plugins and themes and immediately alerts you if a vulnerability is detected in one. As soon as a problem is detected (like with WP Statistics), you receive a notification.


    Related posts
    CleanTalk Research Team Discovers Stored XSS Vulnerability in WP SEOPress Plugin (v7.7.1)
    The CleanTalk Research Team identified a critical Stored XSS (Cross-Site Scripting) vulnerability in the WP SEOPress plugin, version…

    Strengthen Your WordPress Security with Built-in Vulnerability Checks by CleanTalk
    The CleanTalk Security plugin now offers built-in plugin vulnerability checks, empowering you to safeguard your WordPress website proactively….

    Vulnerability in the CleanTalk Anti-Spam plugin for WordPress
    There was a slight vulnerability in the comment scanning interface. It was not very serious, since only the…

    Critical Vulnerability Discovered in Gutenberg Blocks by Kadence Blocks Plugin
    Our team at CleanTalk prioritizes the safety and security of the WordPress ecosystem. Through routine security testing, we’ve…

    Security vulnerability in Anti-Spam by CleanTalk for WordPress prior 6.11
    We have fixed a security vulnerability in Anti-Spam by CleanTalk for WordPress. The vulnerability in the plugin can…


    Comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    CleanTalk

    About

    Dashboard

    Pricing

    Sign up / Sign in

    Solutions

    Anti-Spam for websitee

    Blacklists

    Filter fake emails

    Gantt charts

    Hide contact data

    Stop spam emails in Contact form 7 (CF7)

    Stop spam in Elementor form builder

    Stop spam in WPForms

    Website malware scanner

    WordPress Security & Firewall Plugin

    Documentation

    API

    Help

    License agreement

    Privacy Policy

    Refund Policy

    Signs of Malware

    Contact us

    Create a support ticket

    Telegram

    Contact us