Vulnerability Description
The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Veronalabs | Wp Statistics | <= 13.1.5 |
Related Weaknesses (CWE)
References
- https://gist.github.com/Xib3rR4dAr/89fc87ea1d62348c21c99fc11a3bfd88ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25306Third Party Advisory
- https://gist.github.com/Xib3rR4dAr/89fc87ea1d62348c21c99fc11a3bfd88ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25306Third Party Advisory
FAQ
What is CVE-2022-25306?
CVE-2022-25306 is a vulnerability with a CVSS score of 7.2 (HIGH). The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php ...
How severe is CVE-2022-25306?
CVE-2022-25306 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25306?
Check the references section above for vendor advisories and patch information. Affected products include: Veronalabs Wp Statistics.