EIP-2026-113923

PRE-CVE

WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113923. PoCs published by Han Sahin.

AI-analyzed exploit summary The exploit demonstrates a persistent XSS vulnerability in the WordPress NewStatPress plugin (version 1.2.4) by injecting malicious JavaScript via the Referer header and a crafted GET request. The payload executes when an admin views the 'Last Visitors' or 'Visitors' tab.

Description

WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC VERIFIED

by Han Sahin · textwebappsphp

https://www.exploit-db.com/exploits/41486

View Code ZIP pw:eip

The exploit demonstrates a persistent XSS vulnerability in the WordPress NewStatPress plugin (version 1.2.4) by injecting malicious JavaScript via the Referer header and a crafted GET request. The payload executes when an admin views the 'Last Visitors' or 'Visitors' tab.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress NewStatPress plugin v1.2.4

No auth needed

Prerequisites: Vulnerable WordPress NewStatPress plugin (v1.2.4) · Ability to send crafted HTTP requests to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026