WordPress Plugin Vulnerabilities

WP Statistic < 13.2.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Stored Cross-Site Scripting attacks when unfiltred_html is disallowed

Affects Plugins

Plugin icon
wp-statistics
Fixed in 13.2.2

References

CVE
CVE-2022-27231
URL
https://jvn.jp/en/jp/JVN15241647/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Shogo Kumamaru of LAC CyberLink Co., Ltd
Verified
No
WPVDB ID
63ba9728-bc9f-4c2f-b19d-59c2769fb2a1

Timeline

Publicly Published
2022-05-24 (about 3 years ago)
Added
2022-05-24 (about 3 years ago)
Last Updated
2023-02-20 (about 2 years ago)

Other

Published
Title
Published
2025-03-28
Title
YouTube SimpleGallery <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-10-18
Title
Video Player <= 1.5.22 - Reflected XSS
Published
2025-06-04
Title
Spare <= 1.7 - Reflected Cross-Site Scripting
Published
2023-09-20
Title
WP Event Manager < 3.1.38 - Admin+ Stored XSS
Published
2025-01-07
Title
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates < 5.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting