WP Slimstat <= 4.8 - Unauthenticated Stored XSS from Visitors



Description
This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Affects Plugin

fixed in version 4.8.1

References

CVE 2019-15112
URL https://blog.sucuri.net/2019/05/slimstat-stored-xss-from-visitors.html
URL https://plugins.trac.wordpress.org/changeset/2091635/wp-slimstat

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Antony Garand
Views 4636
Verified No
WPVDB ID 9285

Timeline

Publicly Published 2019-05-21 (about 1 year ago)
Added 2019-05-22 (about 1 year ago)
Last Updated 2019-11-27 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin