WordPress Plugin Vulnerabilities

WP SlimStat <= 3.9.1 - Cross-Site Scripting (XSS)

Description

WP SlimStat Plugin for WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects WP-SlimStat Plugin 3.9.1; other Old versions may also be vulnerable.

Sample Payload for Reflected XSS:

http://www.example.com/wordpress/wp-admin/admin.php?page=wp-slim-view-2&fs[resource]=equals+/wordpress/?s='><script>alert("XSS")</script>

Affects Plugins

Plugin icon
wp-slimstat
Fixed in 3.9.2

References

CVE
CVE-2015-1204

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
LOUDIYI MOHAMED
Verified
Yes
WPVDB ID
ab828ebf-d0e1-401a-a234-0d02dc05a09b

Timeline

Publicly Published
2015-01-06 (about 9 years ago)
Added
2015-01-06 (about 9 years ago)
Last Updated
2019-10-21 (about 4 years ago)

Other

Published
Title
Published
2024-04-03
Title
Better Comments < 1.5.6 - Admin+ Stored XSS
Published
2015-03-31
Title
WordPress Leads 1.6.1-1.6.2 - Stored XSS
Published
2023-03-14
Title
Easy Event calendar <= 1.0 - Admin+ Stored XSS
Published
2023-06-05
Title
Social Media Share Buttons & Social Sharing Icons < 2.8.2 - Admin+ Stored XSS
Published
2023-09-21
Title
Shared Files < 1.7.6 - Unauthenticated Stored Cross-Site Scripting