How is CVE-2026-7634 exploited?

Network reachability (required): The attacker sends a crafted HTTP request with a malicious User-Agent header over the network to any WordPress site running the affected plugin, with no requirement for a pre-existing foothold on the host. Authentication (not-required): No account or credential of any privilege level is needed; any unauthenticated HTTP request to the target site is sufficient to deliver the payload. Victim interaction (not-required): The stored payload executes automatically in the browser of any user who loads the affected analytics page, with no additional social-engineering step required once the payload is stored. Attack complexity (info): Exploitation is reliable and condition-free from the attacker's side, though the administrator must have explicitly enabled the show_complete_user_agent_tooltip setting (disabled by default) for the stored payload to render.

What is the impact of CVE-2026-7634?

An attacker's injected script runs in the browser session of any WordPress user (including administrators) who views the affected analytics page, allowing session token theft via document.cookie access. Stolen session tokens can be used to take over authenticated WordPress accounts, including admin accounts, without needing the account's password. The injected script can make authenticated requests on behalf of the victim, modifying site content, creating rogue admin users, or installing additional plugins.

Back to search

HIGHCVE-2026-7634Published 2026-05-28Modified 2026-05-28CNA Wordfence

CVE-2026-7634: SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header

Q: What is CVE-2026-7634?

Stored cross-site scripting (XSS) in the SlimStat Analytics plugin for WordPress (versions up to and including 5.4.11) allows an unauthenticated attacker to inject malicious JavaScript via the HTTP User-Agent request header. The payload is stored in the database and executes in the browser of any user who views the affected analytics page, provided the administrator has enabled the show_complete_user_agent_tooltip setting. Successful exploitation lets an attacker run arbitrary scripts in victims' browser sessions, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-7634 patched?

No fix version has been published upstream for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the SlimStat Analytics maintainers ship a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the upstream patch is available.

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The show_complete_user_agent_tooltip setting must be explicitly enabled by an administrator (disabled by default) for the stored payload to be rendered and executed.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) in the SlimStat Analytics plugin for WordPress (versions up to and including 5.4.11) allows an unauthenticated attacker to inject malicious JavaScript via the HTTP User-Agent request header. The payload is stored in the database and executes in the browser of any user who views the affected analytics page, provided the administrator has enabled the show_complete_user_agent_tooltip setting. Successful exploitation lets an attacker run arbitrary scripts in victims' browser sessions, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-7634 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (including the Wordfence advisory feed) within minutes of publication and matched against all customer images in registries and active pipelines, including custom-built WordPress images that bundle the SlimStat Analytics plugin.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.2 HIGH and weighting it against each customer environment's compliance policy to surface it at the correct priority. Triage routing is available to direct the alert to the team or inbox configured for the affected workload within each customer org.

Available

Patch

No fix version has been published upstream for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the SlimStat Analytics maintainers ship a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the upstream patch is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker sends a crafted HTTP request with a malicious User-Agent header over the network to any WordPress site running the affected plugin, with no requirement for a pre-existing foothold on the host.
AuthenticationNot required
No account or credential of any privilege level is needed; any unauthenticated HTTP request to the target site is sufficient to deliver the payload.
Victim interactionNot required
The stored payload executes automatically in the browser of any user who loads the affected analytics page, with no additional social-engineering step required once the payload is stored.
Attack complexityDetail
Exploitation is reliable and condition-free from the attacker's side, though the administrator must have explicitly enabled the show_complete_user_agent_tooltip setting (disabled by default) for the stored payload to render.

Blast Radius

An attacker's injected script runs in the browser session of any WordPress user (including administrators) who views the affected analytics page, allowing session token theft via document.cookie access.
Stolen session tokens can be used to take over authenticated WordPress accounts, including admin accounts, without needing the account's password.
The injected script can make authenticated requests on behalf of the victim, modifying site content, creating rogue admin users, or installing additional plugins.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged and tracked against any customer image found to bundle SlimStat Analytics at version 5.4.11 or earlier. Because no upstream fix exists yet, HarborGuard monitors the Wordfence advisory and the veronalabs plugin repository on every ingest cycle and will trigger a patched-image rebuild automatically as soon as a remediated version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression run and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls worth considering include network-policy rules that restrict which internal services can reach the WordPress analytics dashboard, and disabling the show_complete_user_agent_tooltip setting (which is off by default) through configuration management to prevent the stored payload from rendering even if a malicious User-Agent has already been logged.

See how HarborGuard automates this

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

veronalabs / SlimStat Analytics
≤ 5.4.11

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References