WordPress Plugin Vulnerabilities
WP Visitor Statistics (Real Time Traffic) < 6.5 - Contributor+ Stored XSS via Shortcode
Description
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
Proof of Concept
Exploit shortcode: [wsm_showDayStatBox id='" onclick="javascript:alert(1)']
Affects Plugins
Fixed in version 6.5
References
Classification
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2023-01-17 (about 4 months ago)
Added
2023-01-17 (about 4 months ago)
Last Updated
2023-01-17 (about 4 months ago)