WordPress Plugin Vulnerabilities

WP Statistics < 13.1.6 - Multiple Unauthenticated Stored Cross-Site Scripting

Description

The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP, browser and platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics

Affects Plugins

Plugin icon
wp-statistics
Fixed in 13.1.6

References

CVE
CVE-2022-25305
CVE
CVE-2022-25306
CVE
CVE-2022-25307
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25305
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25306
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25307

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Muhammad Zeeshan (Xib3rR4dAr)
Verified
Yes
WPVDB ID
fc822698-1f5a-4371-8c6e-2ca250c3c26d

Timeline

Publicly Published
2022-02-17 (about 4 years ago)
Added
2022-02-17 (about 4 years ago)
Last Updated
2022-04-16 (about 3 years ago)

Other

Published
Title
Published
2022-08-23
Title
Scroll To Top < 1.4.1 - Admin+ Stored Cross-Site Scripting
Published
2012-06-06
Title
Wassup < 1.8.3.1 - XSS
Published
2023-01-11
Title
Gallery Factory Lite <= 2.0.0 - Contributor+ Stored XSS
Published
2024-04-05
Title
ENL Newsletter <= 1.0.1 - Stored XSS via CSRF
Published
2020-09-09
Title
Elementor Addon Elements < 1.6.4 - CSRF & XSS