WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations

Nick

The WordPress plugin WP Statistics, which has an active installation base of 500k users, has an unauthenticated stored XSS vulnerability on versions prior to 12.6.7.

This vulnerability can only be exploited under certain configurations—the default settings are not vulnerable.

Timeline 

  • 2019/06/26 – Initial contact to the developer.
  • 2019/06/27 – Response from the developer, disclosure of the vulnerability.
  • 2019/06/30 – Patch proposed for review.

Continue reading WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations at Sucuri Blog.

More great articles

WordPress 5.7.2 Security Release: What You Need to Know

On May 13, 2021 01:00 UTC, WordPress core released a security patch for a Critical Object Injection vulnerability in PHPMailer,…

Read Story

WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know

On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium…

Read Story

Cross-Site Request Forgery Vulnerability Patched in Ecwid Ecommerce Shopping Cart Plugin

On June 24, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a Cross-Site Request Forgery vulnerability…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.