WordPress Plugin Vulnerabilities

WP Statistics <= 12.6.3 - Referer Cross-Site Scripting (XSS)

Description

The WP Statistics WordPress plugin was affected by a Referer Cross-Site Scripting (XSS) security vulnerability.

Affects Plugins

Plugin icon
wp-statistics
Fixed in 12.6.4

References

CVE
CVE-2019-10864
URL
https://github.com/wp-statistics/wp-statistics/commit/5aec0a08680f0afea387267a8d1b9fbb3379247c
URL
https://medium.com/@aramburu/cve-2019-10864-wordpress-7aebc24751c4

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Manuel Fernández-Aramburu (Innotec Security)
Submitter
Manuel Fernández-Aramburu (Innotec Security)
Submitter website
https://www.innotecsystem.com/
Submitter twitter
innotecsecurity
Verified
No
WPVDB ID
d3aa7e5f-df84-47ef-901c-b9ad7bfa5995

Timeline

Publicly Published
2019-04-09 (about 7 years ago)
Added
2019-04-24 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2016-03-12
Title
Soundy Background Music <= 3.1 - Reflected Cross-Site Scripting (XSS)
Published
2025-12-17
Title
DesignThemes Core <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
WP Photo Album Plus < 4.8.12 - wp-photo-album-plus.php wppa-searchstring XSS
Published
2026-03-16
Title
tagDiv Opt-In Builder < 1.7.4 - Reflected Cross-Site Scripting
Published
2023-04-24
Title
CRM Memberships < 2.5 - Admin+ Stored XSS