Patches unauthenticated stored XSS in Visitor Traffic Statistics

TL;DR — An unauthenticated stored XSS in a WordPress traffic/analytics plugin can inject JavaScript that runs in an admin’s browser when they view the “Traffic by Title” report.

What happened

Visitor Traffic Real Time Statistics is a WordPress plugin that provides site traffic/visitor reporting inside the WordPress admin UI.

Wordfence reports that CVE-2026-2936 is a stored cross-site scripting (XSS) issue caused by insufficient input sanitization and output escaping of the page_title parameter. This allows an unauthenticated attacker to persist attacker-controlled script content that will execute when an administrator opens the Traffic by Title section.

This is scored CVSS v3.1 7.2 (High). Stored XSS in admin-facing reporting views is a common “low-effort, high-leverage” foothold for session compromise and follow-on privileged actions because it targets routine admin workflows rather than a rare edge path.

Who is impacted

• WordPress sites running the visitors-traffic-real-time-statistics plugin.
• Sites on affected versions where the “Traffic by Title” view is used by administrators.

What to do now

• Follow vendor remediation guidance and apply a patched release.

  • "Remediation Update to version 8.5, or a newer patched version"

• Inventory where this plugin is deployed (including customer-managed WordPress instances) and prioritize updates anywhere untrusted users can influence site content/metadata that might surface in traffic/title reporting.
• Treat this as admin-session integrity risk: if you suspect exploitation, invalidate active admin sessions and review admin activity around the timeframe “Traffic by Title” was accessed.
• Reduce exposure where feasible: restrict wp-admin access (IP allowlisting/VPN), enforce strong admin auth controls, and minimize the number of accounts with administrator privileges.