WordPress Plugin Vulnerabilities

WP Slimstat <= 4.8 - Unauthenticated Stored XSS from Visitors

Description

This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Affects Plugins

Plugin icon
wp-slimstat
Fixed in 4.8.1

References

CVE
CVE-2019-15112
URL
https://blog.sucuri.net/2019/05/slimstat-stored-xss-from-visitors.html
URL
https://plugins.trac.wordpress.org/changeset/2091635/wp-slimstat

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Antony Garand
Verified
No
WPVDB ID
79d11708-7664-4aa4-a0d7-7fb1d99e3332

Timeline

Publicly Published
2019-05-21 (about 6 years ago)
Added
2019-05-22 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2024-05-20
Title
Page Builder by SiteOrigin < 2.29.16 - Contributor+ Stored XSS via siteorigin_widget Shortcode
Published
2023-08-18
Title
Logo Scheduler < 1.2.2 - Admin+ Stored XSS
Published
2019-06-18
Title
Seo by Rank Math <= 1.0.26 - XSS Issues
Published
2024-12-11
Title
Library Bookshelves < 5.9 - Reflected Cross-Site Scripting
Published
2023-06-22
Title
About Me 3000 widget <= 2.2.6 - Administrator Stored Cross-Site Scripting