WordPress Plugin Vulnerabilities

Fathom Analytics < 3.0.5 - Admin+ Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the fathom_site_id parameter found in the ~/fathom-analytics.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.0.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Plugin icon
fathom-analytics
Fixed in 3.0.5

References

CVE
CVE-2021-41836
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-41836

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
José Aguilera
Verified
Yes
WPVDB ID
31fef8fa-cdd2-4522-a1de-92c75b87e5ad

Timeline

Publicly Published
2021-12-08 (about 4 years ago)
Added
2021-12-13 (about 4 years ago)
Last Updated
2022-04-12 (about 4 years ago)

Other

Published
Title
Published
2024-02-14
Title
Premium Addons for Elementor < 4.10.19 - Contributor+ Stored Cross-Site Scripting
Published
2020-04-06
Title
Vanguard <= 2.1 - Multiple Cross-Site Scripting (XSS)
Published
2025-02-24
Title
Contact Form 7 Star Rating with font Awesome <= 1.3 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2023-09-01
Title
ShopConstruct <= 1.1.2 - Admin+ Stored XSS
Published
2024-04-26
Title
WP ULike < 2.7.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting