Description

WordPress Plugin WP Statistics is prone to multiple vulnerabilities, including cross-site scripting and SQL injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, allowing the attacker to steal cookie-based authentication credentials, or to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin WP Statistics version 13.1.5 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 13.1.6 or latest

References

https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042

https://gist.github.com/Xib3rR4dAr/af90cef7867583ab2de4cccea2a8c87d

https://gist.github.com/Xib3rR4dAr/8090a6d026d4601083cff80aa80de7eb

https://gist.github.com/Xib3rR4dAr/89fc87ea1d62348c21c99fc11a3bfd88

https://plugins.svn.wordpress.org/wp-statistics/trunk/readme.txt

Related Vulnerabilities

CKEditor Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2023-31541)

WordPress Plugin StatPress Multiple Unspecified Vulnerabilities (1.4.1)

WordPress Plugin Easy Media Download Cross-Site Scripting (1.1.4)

OpenSSL Cryptographic Issues Vulnerability (CVE-2015-3197)

WordPress Plugin Social Login by BestWebSoft Cross-Site Scripting (0.1)

Severity

High

Classification

CVE-2022-0651 CVE-2022-25148 CVE-2022-25149 CVE-2022-25305 CVE-2022-25306 CVE-2022-25307 CWE-79 CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update