WP Slimstat <= 4.8 - Unauthenticated Stored XSS from Visitors



Description
This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Affects Plugin

fixed in version 4.8.1

References

CVE 2019-15112
URL https://blog.sucuri.net/2019/05/slimstat-stored-xss-from-visitors.html
URL https://plugins.trac.wordpress.org/changeset/2091635/wp-slimstat

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Antony Garand
Views 4256
Verified No
WPVDB ID 9285

Timeline

Publicly Published 2019-05-21 (6 months ago)
Added 2019-05-22 (6 months ago)
Last Updated 2019-11-03 (11 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin