WordPress Plugin Vulnerabilities

NewStatPress <= 1.0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

An insufficient user input validation (of HTTP-Header: "Referer") results in a persistent XSS in the WordPress admin-panel. An attacker may be able to access any cookies, session tokens or other sensitive information retained by the browser and used with that site.

Affects Plugins

Plugin icon
newstatpress
Fixed in 1.0.4

References

CVE
CVE-2015-9314

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
HSASec
Submitter website
https://www.hsasec.de
Submitter twitter
HSASec
Verified
No
WPVDB ID
57a6c672-905b-4931-9c04-26965a56a189

Timeline

Publicly Published
2015-06-30 (about 8 years ago)
Added
2015-06-30 (about 8 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2023-07-11
Title
Post SMTP < 2.5.8 - Unauthenticated Stored Cross-Site Scripting via Email Contents
Published
2024-03-20
Title
Invitation Code Content Restriction Plugin from CreativeMinds < 1.5.5 - Reflected Cross-Site Scripting
Published
2023-02-09
Title
Scriptless Social Sharing < 3.2.2 - Contributor+ Stored XSS
Published
2023-04-21
Title
eRocket < 1.2.5 - Admin+ Stored XSS
Published
2024-01-16
Title
BA Plus <= 1.0.3 - Reflected Cross-Site Scripting