Threat Entry Updated 2026-04-07

CVE-2026-2936 - Visitor Traffic Real Time Statistics Plugin

The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_title' parameter in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an admin user accesses the Traffic by Title section.

PLUGIN Visitor Traffic Real Time Statistics

CVE-2026-2936

HIGH CVSS 7.2 2026-04-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24829 - Visitor Traffic Real Time Statistics Plugin

The Visitor Traffic Real Time Statistics WordPress plugin before 3.9 does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) before using it in a SQL statement, leading to an SQL injection issue

PLUGIN Visitor Traffic Real Time Statistics

CVE-2021-24829

HIGH CVSS 8.8 2021-11-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24193 - Visitor Traffic Real Time Statistics Plugin

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

PLUGIN Visitor Traffic Real Time Statistics

CVE-2021-24193

HIGH CVSS 8.8 2021-05-14

Risk Score

Open Full Technical Breakdown