WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations

Nick

The WordPress plugin WP Statistics, which has an active installation base of 500k users, has an unauthenticated stored XSS vulnerability on versions prior to 12.6.7.

This vulnerability can only be exploited under certain configurations—the default settings are not vulnerable.

Timeline 

  • 2019/06/26 – Initial contact to the developer.
  • 2019/06/27 – Response from the developer, disclosure of the vulnerability.
  • 2019/06/30 – Patch proposed for review.

Continue reading WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations at Sucuri Blog.

More great articles

Millions of Sites Targeted in File Manager Vulnerability Attacks

The Wordfence Threat Intelligence team is seeing a dramatic increase in attacks targeting the recent 0-day in the WordPress File…

Read Story

High Severity Vulnerability Patched in Child Theme Creator by Orbisius

On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin…

Read Story

Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.