WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP-Stats < 2.5.2 - CSRF to Stored Cross-Site Scripting (XSS)

Description

The plugin does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads

Affects Plugins

wp-stats
Fixed in version 2.52

References

CVE
CVE-2015-10001
URL
https://www.openwall.com/lists/oss-security/2015/06/17/6

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Sebastian Wolfgang Kraemer

Submitter

HSASec

Submitter website
https://www.hsasec.de
Submitter twitter
HSASec
Verified

Yes

WPVDB ID
f5c3dfea-7203-4a98-88ff-aa6a24d03734

Timeline

Publicly Published

2015-06-17 (about 7 years ago)

Added

2015-06-17 (about 7 years ago)

Last Updated

2022-04-08 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin