WordPress Plugin Vulnerabilities
Web-Stat < 1.4.1 - API Key Disclosure
Description
When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_load_init" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account.
This request contained sensitive information such as the site’s “wts_web_stat_uid” which was sent in the “wpid” parameter. The response to this request contained an API key which could be used to directly access the stats admin dashboard hosted on a 3rd party site.
Version 1.4.0 partially addressed these issues but the dashboard API key was still visible to users with minimal permissions, such as subscribers, in the source of the wp-admin panel.
Affects Plugins
References
CVE
Classification
Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ramuel Gall
Submitter
Ramuel Gall
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2021-02-23 (about 3 years ago)
Added
2021-02-24 (about 3 years ago)
Last Updated
2021-03-02 (about 3 years ago)