NewStatPress <= 1.0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)



Description
An insufficient user input validation (of HTTP-Header: "Referer") results in a persistent XSS in the WordPress admin-panel. An attacker may be able to access any cookies, session tokens or other sensitive information retained by the browser and used with that site. 

Affects Plugin

fixed in version 1.0.4

References

CVE 2015-9314
URL https://wordpress.org/plugins/newstatpress/changelog/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter HSASec
Submitter Website https://www.hsasec.de
Submitter Twitter HSASec
Views 4089
Verified No
WPVDB ID 8067

Timeline

Publicly Published 2015-06-30 (about 4 years ago)
Added 2015-06-30 (about 4 years ago)
Last Updated 2019-08-21 (2 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin