WordPress Plugin Vulnerabilities

Web-Stat < 1.4.1 - API Key Disclosure

Description

When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_load_init" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account.

This request contained sensitive information such as the site’s “wts_web_stat_uid” which was sent in the “wpid” parameter. The response to this request contained an API key which could be used to directly access the stats admin dashboard hosted on a 3rd party site.

Version 1.4.0 partially addressed these issues but the dashboard API key was still visible to users with minimal permissions, such as subscribers, in the source of the wp-admin panel.

Affects Plugins

Plugin icon
web-stat
Fixed in 1.4.1

References

CVE
CVE-2021-24167

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Ramuel Gall
Submitter
Ramuel Gall
Submitter twitter
ramuelgall
Verified
No
WPVDB ID
e7326903-1552-4934-a611-fc0b43236d60

Timeline

Publicly Published
2021-02-23 (about 3 years ago)
Added
2021-02-24 (about 3 years ago)
Last Updated
2021-03-02 (about 3 years ago)

Other

Published
Title
Published
2021-03-03
Title
User Profile Picture < 2.5.0 - Sensitive Information Disclosure
Published
2023-03-02
Title
WP SMS < 6.0.4.1 - Information Disclosure via REST API
Published
2022-06-17
Title
GiveWP < 2.21.0 - Donor Information Disclosure
Published
2024-01-05
Title
WP STAGING WordPress Backup Plugin – Migration Backup Restore < 3.2.0 - Unauthorized Sensitive Data Exposure
Published
2024-02-14
Title
Community by PeepSo < 6.2.7.1 - Unauthenticated Sensitive Information Disclosure via Log file