CVE-2026-6275 | statcounter StatCounter Plugin up to 2.1.1 on WordPress statcounter_addToTags cross site scripting (EUVD-2026-33250)

This report documents CVE-2026-6275: a stored Cross-Site Scripting (XSS) vulnerability in the StatCounter – Free Real Time Visitor Stats WordPress plugin (<= 2.1.1) caused by insufficient escaping of the post author nickname in statcounter_addToTags; authenticated attackers with Author-level access can inject scripts into posts, there is no public exploit reported, and upgrading to StatCounter Plugin 2.1.1 is recommended.