CVE-2026-8943 rchmura CVE debrief

Who should care

WordPress site administrators using GoStats for WordPress plugin versions ≤1.4; security teams managing WordPress deployments; developers maintaining forked or customized versions of the plugin

Technical summary

The GoStats for WordPress plugin fails to implement WordPress nonce verification in its gostats_manage() function, a standard WordPress security mechanism for preventing CSRF attacks. Without nonce validation, state-changing requests can be forged and submitted on behalf of authenticated administrators. The vulnerability specifically exposes the gostats_siteid and gostats_server configuration options to unauthorized modification. Attack vector requires social engineering to induce administrator interaction.

Defensive priority

medium

Recommended defensive actions

• Update GoStats for WordPress plugin to version 1.5 or later when available
• Implement additional CSRF protection on administrative endpoints
• Review plugin settings for unauthorized modifications if running affected versions
• Consider disabling the plugin until a patch is available
• Deploy web application firewall rules to detect and block suspicious POST requests to plugin management endpoints

Evidence notes

Vulnerability confirmed via Wordfence security advisory. Source code references indicate missing nonce checks at lines 26-27 of GoStats.php. CVSS 3.1 score of 4.3 (Medium) reflects network attack vector with user interaction required.

Official resources