Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Visitor Traffic Real Time Statistics by wp-buy
CVE-2026-2936 (GCVE-0-2026-2936)
Vulnerability from nvd – Published: 2026-04-04 11:16 – Updated: 2026-04-08 17:18
VLAI?
Title
Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting
Summary
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wp-buy | Visitor Traffic Real Time Statistics |
Affected:
0 , ≤ 8.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T13:29:56.487743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T13:30:10.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visitor Traffic Real Time Statistics",
"vendor": "wp-buy",
"versions": [
{
"lessThanOrEqual": "8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027page_title\u0027 parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:58.176Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8e86b0-5e06-44e0-a94c-b05581f46e5a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3466230/visitors-traffic-real-time-statistics"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-21T00:39:41.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-03T22:10:48.000Z",
"value": "Disclosed"
}
],
"title": "Visitor Traffic Real Time Statistics \u003c= 8.4 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2936",
"datePublished": "2026-04-04T11:16:16.954Z",
"dateReserved": "2026-02-21T09:23:23.031Z",
"dateUpdated": "2026-04-08T17:18:58.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24193 (GCVE-0-2021-24193)
Vulnerability from nvd – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:21
VLAI?
Title
Visitor Traffic Real Time Statistics < 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User
Summary
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Severity ?
No CVSS data available.
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wp-buy | Visitor Traffic Real Time Statistics |
Affected:
2.12 , < 2.12
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visitor Traffic Real Time Statistics",
"vendor": "wp-buy",
"versions": [
{
"lessThan": "2.12",
"status": "affected",
"version": "2.12",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bugbang"
}
],
"descriptions": [
{
"lang": "en",
"value": "Low privileged users can use the AJAX action \u0027cp_plugins_do_button_job_later_callback\u0027 in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:16.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Visitor Traffic Real Time Statistics \u003c 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24193",
"STATE": "PUBLIC",
"TITLE": "Visitor Traffic Real Time Statistics \u003c 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visitor Traffic Real Time Statistics",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.12",
"version_value": "2.12"
}
]
}
}
]
},
"vendor_name": "wp-buy"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bugbang"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Low privileged users can use the AJAX action \u0027cp_plugins_do_button_job_later_callback\u0027 in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24193",
"datePublished": "2021-05-14T11:38:16.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-2936 (GCVE-0-2026-2936)
Vulnerability from cvelistv5 – Published: 2026-04-04 11:16 – Updated: 2026-04-08 17:18
VLAI?
Title
Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting
Summary
The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wp-buy | Visitor Traffic Real Time Statistics |
Affected:
0 , ≤ 8.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T13:29:56.487743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T13:30:10.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visitor Traffic Real Time Statistics",
"vendor": "wp-buy",
"versions": [
{
"lessThanOrEqual": "8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027page_title\u0027 parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:58.176Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8e86b0-5e06-44e0-a94c-b05581f46e5a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3466230/visitors-traffic-real-time-statistics"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-21T00:39:41.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-03T22:10:48.000Z",
"value": "Disclosed"
}
],
"title": "Visitor Traffic Real Time Statistics \u003c= 8.4 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2936",
"datePublished": "2026-04-04T11:16:16.954Z",
"dateReserved": "2026-02-21T09:23:23.031Z",
"dateUpdated": "2026-04-08T17:18:58.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24193 (GCVE-0-2021-24193)
Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:21
VLAI?
Title
Visitor Traffic Real Time Statistics < 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User
Summary
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Severity ?
No CVSS data available.
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wp-buy | Visitor Traffic Real Time Statistics |
Affected:
2.12 , < 2.12
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visitor Traffic Real Time Statistics",
"vendor": "wp-buy",
"versions": [
{
"lessThan": "2.12",
"status": "affected",
"version": "2.12",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bugbang"
}
],
"descriptions": [
{
"lang": "en",
"value": "Low privileged users can use the AJAX action \u0027cp_plugins_do_button_job_later_callback\u0027 in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:16.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Visitor Traffic Real Time Statistics \u003c 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24193",
"STATE": "PUBLIC",
"TITLE": "Visitor Traffic Real Time Statistics \u003c 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visitor Traffic Real Time Statistics",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.12",
"version_value": "2.12"
}
]
}
}
]
},
"vendor_name": "wp-buy"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bugbang"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Low privileged users can use the AJAX action \u0027cp_plugins_do_button_job_later_callback\u0027 in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24193",
"datePublished": "2021-05-14T11:38:16.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}