Slimstat <= 4.8 - Unauthenticated Stored XSS from Visitors



Description
This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Affects Plugin

fixed in version 4.8.1

References

URL https://blog.sucuri.net/2019/05/slimstat-stored-xss-from-visitors.html
URL https://plugins.trac.wordpress.org/changeset/2091635/wp-slimstat

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Antony Garand
Views 2865
Verified No
WPVDB ID 9285

Timeline

Publicly Published 2019-05-21 (30 days ago)
Added 2019-05-22 (28 days ago)
Last Updated 2019-05-22 (28 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.