Medium 6.5
2026-04-17< 14.16.5
CVE-2026-3488
WP Statistics – Simple, privacy-friendly Google Analytics alternative
Minimum safe version
14.16.5
Update to 14.16.5 or later to address 58 fixable vulnerabilities
Latest available14.16.6 ✓Affected up to12.0.5 ⚠
High 7.2
2026-04-17< 14.16.5
CVE-2026-5231
High 7.2
2025-09-27< 14.15.5
WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header
Medium 4.3
2025-08-14< 14.15.2
CVE-2025-55716
Medium 6.5
2025-04-30< 14.13.4
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update
High 7.2
2024-03-13< 14.5.1
CVE-2024-2194
N/A
< 13.1.6
WP Statistic < 13.1.6 - Reflected Cross-Site Scripting
N/A
< 2.2.5
WP Statistics <= 2.2.4 - Cross-Site Scripting (XSS)
N/A
< 8.3.1
WP Statistics <= 8.3 - Stored & Reflected Cross-Site Scripting (XSS)
N/A
< 8.5
WP Statistics <= 8.4 - Unauthenticated Referer Header Stored XSS
N/A
< 9.1.3
WP Statistics <= 9.1.2 - Authenticated Stored Cross-Site Scripting (XSS)
N/A
< 9.4.1
WP Statistics <= 9.4 - Authenticated SQL Injection
N/A
< 9.5.2
WP Statistics <= 9.5.1 - Referer Cross-Site Scripting (XSS)
N/A
< 12.0.9
WP Statistics <= 12.0.8.1 - Authenticated Reflected Cross-Site Scripting (XSS)
N/A
< 12.6.7
WP Statistics <= 12.6.6.1 - Unauthenticated Stored XSS Under Certain Configurations
N/A
< 13.1
WP Statistic < 13.1 - Reflected Cross-Site Scripting (XSS)
High 8.8
2023-03-28< 14.0
WordPress WP Statistics Plugin < 14.0 is vulnerable to SQL Injection
Medium 6.5
2023-03-07< 13.1.2
CVE-2021-4333
Critical 9.9
2023-03-13< 13.2.11
CVE-2022-38074
N/A
2012-05-15< 2.2.5
WP Statistics <= 2.2.4 - Cross-Site Scripting
N/A
2014-11-20< 8.3.1
WP Statistics < 8.3.1 - Multiple Cross-Site Scripting
N/A
2014-12-03< 8.5
WP Statistics <= 8.4 - Stored Cross-Site Scripting
N/A
2015-04-15< 9.1.3
WP Statistics < 9.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting
N/A
2015-07-09< 9.4.1
WP Statistics < 9.4.1 - Authenticated Blind SQL Injection
N/A
2015-08-10< 9.5.2
WP Statistics <= 9.5.1 - Cross-Site Scripting
High 8.8
2023-01-23< 13.2.9
CVE-2022-4230
N/A
2017-07-03< 12.0.9
WP Statistics <= 12.0.8.1 - Reflected Cross-Site Scripting
N/A
2019-07-01< 12.6.7
WP Statistics <= 12.6.6.1 - Unauthenticated Stored Cross-Site Scripting via IP Manipulation
N/A
2021-08-30< 13.1
WP Statistics <= 13.0.9 - Reflected Cross-Site Scripting
N/A
2022-09-07< 13.2.6
WP Statistics <= 13.2.5 - Information Disclosure
N/A
2022-09-08< 13.2.6
WP Statistics <= 13.2.5 - Authenticated (Subscriber+) SQL Injection
N/A
2015-05-15< 8.5
WordPress WP Statistics Plugin <= 8.4 - Stored XSS
N/A
2015-05-15< 8.3.1
WordPress WP Statistics Plugin <= 8.3 - Stored & Reflected XSS
N/A
2015-05-15< 9.1.3
WordPress WP Statistics Plugin <= 9.1.2 - Stored Cross Site Scripting
N/A
2015-06-25< 2.2.5
WordPress WP Statistics Plugin <= 2.2.4 - Cross Site Scripting
N/A
2015-08-10< 9.5.2
WordPress WP Statistics Plugin <= 9.5.1 - Cross Site Scripting
N/A
2015-11-22< 9.4.1
WordPress WP Statistics Plugin <= 9.4 - SQL Injection
N/A
2017-04-28< 12.0.6
WordPress WP Statistics plugin <=12.0.5 - Reflected Cross-Site Scripting (XSS) vulnerability
N/A
2017-07-01< 12.0.8
WordPress WP Statistics plugin <=12.0.7 - Authenticated SQL Injection vulnerability
Medium 6.1
2022-06-06< 13.2.2
CVE-2022-1005
Medium 6.1
2022-06-13< 13.2.2
CVE-2022-27231
N/A
2019-07-04< 12.6.7
WordPress WP Statistics plugin <= 12.6.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
N/A
2021-05-18< 13.0.8
WordPress WP Statistics plugin <= 13.0.7 - Unauthenticated Time-Based Blind SQL Injection (SQLi) vulnerability
Medium 6.1
2017-04-28< 12.0.5
CVE-2017-2136
Medium 6.1
2017-04-28≤ 12.0.4
CVE-2017-2147
Medium 6.1
2017-04-28< 12.0.5
CVE-2017-2135
Medium 6.1
2017-07-07< 12.0.10
CVE-2017-10991
Medium 6.1
2018-06-26≥ 12.0.2 and ≤ 12.0.5
CVE-2018-1000556
Medium 6.1
2019-04-24< 12.6.4
WordPress WP Statistics plugin <= 12.6.3 - Cross-Site Scripting (XSS) vulnerability
Medium 5.4
2019-06-12< 12.6.6.1
WordPress WP Statistics plugin <= 12.6.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Critical 9.8
2019-07-04< 12.6.7
CVE-2019-13275
Critical 9.8
2019-08-14< 12.0.8
CVE-2017-18515
High 7.5
2021-06-07< 13.0.8
CVE-2021-24340
High 7.5
2022-02-16< 13.1.5
CVE-2022-0513
Medium 6.1
2022-02-24< 13.1.6
CVE-2022-25307
Medium 6.1
2022-02-24< 13.1.6
CVE-2022-25306
Medium 6.1
2022-02-24< 13.1.6
CVE-2022-25305
High 7.5
2022-02-24< 13.1.6
CVE-2022-25149
Critical 9.8
2022-02-24< 13.1.6
CVE-2022-25148
High 7.5
2022-02-24< 13.1.6
CVE-2022-0651