Vulnerability Description
The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Veronalabs | Wp Statistics | <= 13.1.5 |
Related Weaknesses (CWE)
References
- https://gist.github.com/Xib3rR4dAr/af90cef7867583ab2de4cccea2a8c87dExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25305Third Party Advisory
- https://gist.github.com/Xib3rR4dAr/af90cef7867583ab2de4cccea2a8c87dExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25305Third Party Advisory
FAQ
What is CVE-2022-25305?
CVE-2022-25305 is a vulnerability with a CVSS score of 7.2 (HIGH). The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which...
How severe is CVE-2022-25305?
CVE-2022-25305 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25305?
Check the references section above for vendor advisories and patch information. Affected products include: Veronalabs Wp Statistics.