Wordpress
July 4, 2020

Slimstat: Stored XSS from Visitors

Nick

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics.

Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator dashboard.

Timeline

  • 2019/05/16: Initial disclosure
  • 2019/05/20: Patch released (4.8.1)
  • 2019/05/21: Blog post released

Details

This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Continue reading Slimstat: Stored XSS from Visitors at Sucuri Blog.

Share this:
Twitter icon Facebook icon LinkedIn icon Pinterest icon

More great articles

WordPress Vulnerabilities & Patch Roundup — July 2022

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are…

Read Story
Wordpress
July 29, 2022

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 1, 2024 to July 7, 2024)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors?…

Read Story
Wordpress
July 11, 2024

High Severity Vulnerability Patched in Child Theme Creator by Orbisius

On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin…

Read Story
Wordpress
October 14, 2020

Emergency WordPress Help

One of our techs will get back to you within minutes.