WordPress Slimstat Analytics Plugin <= 5.0.4 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Slimstat Analytics plugin (wp-slimstat) for WordPress, affecting versions up to and including 5.0.4 [1]. The flaw allows unauthenticated attackers to inject arbitrary JavaScript into a page, which is then reflected back to the victim's browser. The exact parameter vulnerable is not detailed in the available references, but the condition requires the victim to interact with a crafted URL, such as clicking a malicious link.

Exploitation

An attacker must craft a URL containing a malicious script in a parameter processed by the plugin. No authentication is required to exploit this vulnerability. The attacker then needs to trick a user (typically an administrator or logged-in user) into clicking the crafted link. The script executes in the context of the victim's session with the WordPress site. The official CVE description confirms the attack vector is "Reflected XSS," meaning the payload is not stored but immediately reflected in the server's response.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of cookies or authentication tokens, defacement, or actions performed on behalf of the victim user. Since the attack is reflected, the impact is limited to the scope of the victim's session, but it can lead to privilege escalation if an administrator is targeted.

Mitigation

The vulnerability is fixed in version 5.0.5 of the Slimstat Analytics plugin [1]. Users are strongly advised to update immediately to version 5.0.5 or later. As of the publication date (2023-05-25), no workarounds are documented. The plugin is available via the WordPress Plugin Directory, and automatic updates should be enabled.