MEDIUM
rchmura
CVE published 2026-05-27
CVE-2026-8943
Cross-Site Request Forgery (CSRF) vulnerability in GoStats for WordPress plugin versions up to and including 1.4. The gostats_manage() function lacks proper nonce validation, allowing unauthenticated attackers to modify plugin settings (gostats_siteid and gostats_server options) if an administrator can be tricked into clicking a malicious link.