Slimstat: Stored XSS from Visitors

Nick

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics.

Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator dashboard.

Timeline

  • 2019/05/16: Initial disclosure
  • 2019/05/20: Patch released (4.8.1)
  • 2019/05/21: Blog post released

Details

This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Continue reading Slimstat: Stored XSS from Visitors at Sucuri Blog.

More great articles

Vulnerability in UpdraftPlus Allowed Subscribers to Download Sensitive Backups

On February 17, 2022, UpdraftPlus, a WordPress plugin with over 3 million installations, updated with a security fix for a…

Read Story

Critical Vulnerability Patched in External Media Plugin

On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress…

Read Story

Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin

On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.