StatCounter < 2.0.7 - Admin+ Stored Cross-Site Scripting

Vulnerability

The StatCounter WordPress plugin versions prior to 2.0.7 fail to sanitize and escape the Project ID and Secure Code settings. This allows high-privilege users (e.g., administrators) to inject arbitrary JavaScript into these fields, which is then stored and executed when the settings page is rendered [1].

Exploitation

An attacker with administrative access to the WordPress dashboard can navigate to the StatCounter settings page and input malicious JavaScript into the Project ID or Secure Code fields. Upon saving the settings, the injected script is stored and will execute in the context of the admin panel whenever the settings are viewed. No additional user interaction is required beyond the initial save [1].

Impact

Successful exploitation results in stored cross-site scripting (XSS) within the WordPress admin area. The attacker can execute arbitrary JavaScript, potentially leading to session hijacking, defacement, or further compromise of the site. The attack is persistent and affects any administrator who visits the settings page [1].

Mitigation

Update the StatCounter plugin to version 2.0.7 or later, which fixes the vulnerability by properly sanitizing and escaping the affected settings. No workarounds are documented. The fix was publicly disclosed on 2022-01-26 [1].