WordPress Slimstat Analytics Plugin <= 5.0.8 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The vulnerability is an authenticated (admin+) stored cross-site scripting (XSS) issue in the Slimstat Analytics plugin for WordPress, affecting versions 5.0.8 and earlier [1]. The bug resides in the plugin's settings or report customization fields where insufficient input sanitization allows JavaScript injection. Admin-level access is required to reach the vulnerable code path, as the injection point is within the plugin's admin interface.

Exploitation

To exploit, an attacker must have an admin account on the target WordPress site. The attacker crafts a payload containing malicious JavaScript and injects it into a vulnerable field within Slimstat Analytics (e.g., custom report names or other customizable text areas). The script is stored in the database and executed when any other admin user views the affected admin page [1]. No additional user interaction beyond normal admin navigation is required.

Impact

Upon successful exploitation, the attacker can execute arbitrary JavaScript in the context of another admin's browser session [1]. This could lead to theft of session cookies, defacement of the admin interface, or further privilege escalation actions such as creating new admin users. The scope of the compromise is limited to the WordPress admin area, but the data accessible via admin privileges (user lists, settings, etc.) is fully exposed.

Mitigation

Slimstat Analytics version 5.4.12 does not list a specific security fix for CVE-2023-40676; however, users are strongly advised to update to the latest available version (currently 5.4.12 as per reference [1]) regardless, as numerous updates since 5.0.8 have likely addressed this vulnerability. If immediate update is not possible, restrict admin user access to trusted individuals only and avoid entering untrusted data into the plugin's customizable fields [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.