PatchSiren cyber security CVE debrief
CVE-2026-7634 veronalabs CVE debrief
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the User-Agent header in versions up to and including 5.4.11. The vulnerability stems from insufficient input sanitization and output escaping when processing User-Agent data. Unauthenticated attackers can inject arbitrary web scripts that execute when users access injected pages. However, exploitation requires the show_complete_user_agent_tooltip setting to be explicitly enabled by an administrator, which is disabled by default. This configuration requirement significantly reduces the attack surface in default deployments. The vulnerability was published on May 28, 2026, with subsequent modification the same day. No known exploitation in ransomware campaigns has been documented.
- Vendor
- veronalabs
- Product
- SlimStat Analytics
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
WordPress administrators using SlimStat Analytics plugin, security teams monitoring WordPress plugin vulnerabilities, web application firewall operators, and compliance teams tracking XSS exposure in content management systems
Technical summary
The vulnerability exists in the SlimStat Analytics WordPress plugin's handling of User-Agent headers. When the show_complete_user_agent_tooltip administrator setting is enabled, User-Agent data is stored without adequate sanitization and later rendered without proper output escaping in administrative reports. The affected components include wp-slimstat-reports.php (admin view), Browscap.php (service layer), Processor.php (tracker), and Storage.php (data layer). The CVSS 3.1 score of 7.2 reflects network accessibility, low attack complexity, no privilege requirements, no user interaction, and changed scope with low impacts to confidentiality and integrity. The default-disabled configuration of the vulnerable feature limits practical exploitability.
Defensive priority
medium
Recommended defensive actions
- Verify SlimStat Analytics plugin version and upgrade to a fixed version beyond 5.4.11 when available
- Audit the show_complete_user_agent_tooltip setting and disable if not explicitly required
- Review User-Agent data storage and rendering in wp-slimstat-reports.php for sanitization controls
- Implement Content Security Policy headers to mitigate XSS impact
- Monitor plugin repository for security updates and apply patches promptly
Evidence notes
The vulnerability description and technical details are sourced from the official CVE record and NVD entry. Code references point to specific file locations in the plugin's admin reports, Browscap service, tracker processor, and storage components across versions 5.4.4, 5.4.11, and trunk. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) supports the HIGH severity rating of 7.2. The CWE-79 classification confirms the XSS nature of the vulnerability.
Official resources
The vulnerability was disclosed on May 28, 2026, and modified later the same day. The source indicates a deferred vulnerability status in the NVD. A pull request addressing the issue has been submitted to the plugin repository.