SlimStat Analytics

Software Type	Plugin
Software Slug	wp-slimstat (view on wordpress.org)
Software Status	Active
Software Author	veronalabs
Software Website	wp-slimstat.com
Software Downloads	7,192,793
Software Active Installs	70,000
Software Record Last Updated	June 18, 2026

Showing 1-20 of 26 Vulnerabilities

Submit a Vulnerability

SlimStat Analytics < 5.4.0 - Unauthenticated PHP Object Injection

8.1

CVE-2026-27410

Jun 1, 2026

Researcher: Drew Webber (mcdruid)

SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header

7.2

CVE-2026-7634

May 27, 2026

Researcher: Supakiad S. (m3ez)

SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh'

7.2

CVE-2026-1238

Mar 18, 2026

Researcher: Supakiad S. (m3ez)

SlimStat Analytics <= 5.3.1 - Authenticated (Subscriber+) SQL Injection via `args` Parameter

6.5

CVE-2025-13431

Feb 10, 2026

Researcher: Marcin Dudek (dudekmar)

Slimstat Analytics <= 5.3.2 - Reflected Cross-Site Scripting

6.1

CVE-2025-69323

Jan 27, 2026

Researcher: Drew Webber (mcdruid)

SlimStat Analytics <= 5.3.3 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter

7.2

CVE-2025-15057

Jan 8, 2026

Researcher: Supakiad S. (m3ez)

SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters

7.2

CVE-2025-15055

Jan 8, 2026

Researcher: Supakiad S. (m3ez)

SlimStat Analytics <= 5.3.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2025-14151

Dec 18, 2025

Researcher: Supakiad S. (m3ez)

Slimstat Analytics <= 5.2.6 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-9548

Oct 14, 2024

Researcher: Bilal Chawich (Duke)

SlimStat Analytics <= 5.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVE-2024-1073

Feb 1, 2024

Researcher: Lucio Sá

Slimstat Analytics <= 5.0.9 - Authenticated (Contributor+) Blind SQL Injection via Shortcode

8.8

CVE-2023-4598

Sep 11, 2023

Researchers: Chloe Chamberland, István Márton

Slimstat Analytics <= 5.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4597

Aug 28, 2023

Researcher: István Márton

Slimstat Analytics <= 5.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

4.4

CVE-2023-40676

Aug 22, 2023

Researcher: Rio Darmawan

Slimstat Analytics <= 5.0.5.1 - Missing Authorization via delete_pageview

4.3

CVE-2023-33994

Aug 22, 2023

Researcher: Rafshanzani Suhada

Slimstat Analytics <= 5.0.4 - Reflected Cross-Site Scripting

6.1

CVE-2022-45366

May 11, 2023

Researcher: Rafie Muhammad

Slimstat Analytics <= 5.0.4 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-45373

May 11, 2023

Researcher: Rafie Muhammad

Slimstat Analytics <= 4.9.3.3 - Authenticated (Subscriber+) SQL Injection via Shortcode

8.8

CVE ID Unknown

Mar 30, 2023

Researchers:

Slimstat Analytics <= 4.9.3.2 - Authenticated (Subscriber+) SQL Injection via Shortcode

8.8

CVE-2023-0630

Feb 23, 2023

Researcher: Marc-Alexandre Montpas

Slimstat Analytics <= 4.9.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2022-4310

Dec 19, 2022

Researcher: Bilal Chawich (Duke)

Slimstat Analytics <= 4.9.2 - Reflected Cross-Site Scripting via REQUEST_URI

6.1

CVE ID Unknown

Dec 12, 2022

Researchers:

Title	Status	CVE ID	CVSS	Researchers	Date
SlimStat Analytics < 5.4.0 - Unauthenticated PHP Object Injection	Patched	CVE-2026-27410	8.1	Drew Webber (mcdruid)	June 1, 2026
SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header	Patched	CVE-2026-7634	7.2	Supakiad S. (m3ez)	May 27, 2026
SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh'	Patched	CVE-2026-1238	7.2	Supakiad S. (m3ez)	March 18, 2026
SlimStat Analytics <= 5.3.1 - Authenticated (Subscriber+) SQL Injection via `args` Parameter	Patched	CVE-2025-13431	6.5	Marcin Dudek (dudekmar)	February 10, 2026
Slimstat Analytics <= 5.3.2 - Reflected Cross-Site Scripting	Patched	CVE-2025-69323	6.1	Drew Webber (mcdruid)	January 27, 2026
SlimStat Analytics <= 5.3.3 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter	Patched	CVE-2025-15057	7.2	Supakiad S. (m3ez)	January 8, 2026
SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters	Patched	CVE-2025-15055	7.2	Supakiad S. (m3ez)	January 8, 2026
SlimStat Analytics <= 5.3.2 - Unauthenticated Stored Cross-Site Scripting	Patched	CVE-2025-14151	7.2	Supakiad S. (m3ez)	December 18, 2025
Slimstat Analytics <= 5.2.6 - Unauthenticated Stored Cross-Site Scripting	Patched	CVE-2024-9548	7.2	Bilal Chawich (Duke)	October 14, 2024
SlimStat Analytics <= 5.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting	Patched	CVE-2024-1073	6.4	Lucio Sá	February 1, 2024
Slimstat Analytics <= 5.0.9 - Authenticated (Contributor+) Blind SQL Injection via Shortcode	Patched	CVE-2023-4598	8.8	Chloe Chamberland, István Márton	September 11, 2023
Slimstat Analytics <= 5.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2023-4597	6.4	István Márton	August 28, 2023
Slimstat Analytics <= 5.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	Patched	CVE-2023-40676	4.4	Rio Darmawan	August 22, 2023
Slimstat Analytics <= 5.0.5.1 - Missing Authorization via delete_pageview	Patched	CVE-2023-33994	4.3	Rafshanzani Suhada	August 22, 2023
Slimstat Analytics <= 5.0.4 - Reflected Cross-Site Scripting	Patched	CVE-2022-45366	6.1	Rafie Muhammad	May 11, 2023
Slimstat Analytics <= 5.0.4 - Authenticated (Administrator+) SQL Injection	Patched	CVE-2022-45373	7.2	Rafie Muhammad	May 11, 2023
Slimstat Analytics <= 4.9.3.3 - Authenticated (Subscriber+) SQL Injection via Shortcode	Patched		8.8		March 30, 2023
Slimstat Analytics <= 4.9.3.2 - Authenticated (Subscriber+) SQL Injection via Shortcode	Patched	CVE-2023-0630	8.8	Marc-Alexandre Montpas	February 23, 2023
Slimstat Analytics <= 4.9.2 - Unauthenticated Stored Cross-Site Scripting	Patched	CVE-2022-4310	7.2	Bilal Chawich (Duke)	December 19, 2022
Slimstat Analytics <= 4.9.2 - Reflected Cross-Site Scripting via REQUEST_URI	Patched		6.1		December 12, 2022

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

SlimStat Analytics

Information

Showing 1-20 of 26 Vulnerabilities