WP Statistics < 12.6.6.1 – Authenticated Stored XSS | CVE 2019-12566

Affects Plugins

wp-statistics

Fixed in 12.6.6.1

References

CVE

CVE-2019-12566

URL

https://github.com/wp-statistics/wp-statistics/issues/271

URL

https://github.com/wp-statistics/wp-statistics/commit/aec4359975344f75385ae1ec257575d8131d6ec2

URL

https://github.com/wp-statistics/wp-statistics/commit/cda6dcaf123f4df1e01fbc819f47a98ca5c8ac0a

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

kuqadk3

Submitter

Ryan Dewhurst

Submitter website

https://wpscan.io

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

a71fd22f-d2d7-4ac2-9519-87e0dcab0516

Timeline

Publicly Published

2019-05-30 (about 6 years ago)

Added

2019-06-11 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2023-12-26

Title

Zoho Forms < 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-08-19

Title

SensorPress <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-06-23

Title

WPCRM - CRM for Contact form CF7 & WooCommerce <= 3.2.0 - Reflected Cross-Site Scripting

Published

2021-11-01

Title

Check & Log Email < 1.0.4 - Reflected Cross-Site Scripting

Published

2024-04-19

Title

RSS Feed Widget < 2.9.8 - Authenticated (Admin+) Stored Cross-Site Scripting