Slimstat Analytics <= 5.2.6 - Unauthenticated Stored Cross-Site Scripting

Vulnerability

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 5.2.6. The vulnerability exists in the resource parameter when logging visitor requests, due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts that are stored and later executed when a user accesses a page displaying the logged data.

Exploitation

An unauthenticated attacker can craft a malicious HTTP request containing a JavaScript payload in the resource parameter. The plugin logs this request without proper sanitization, and the payload is stored in the database. When an administrator or other user views the analytics reports (e.g., the access log), the injected script executes in their browser, leading to XSS.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. No authentication or special privileges are required to trigger the vulnerability.

Mitigation

The plugin's latest version as per the WordPress plugin repository is 5.4.12 [1], but the advisory does not explicitly confirm that this version fixes the issue. Users should update to the latest available version and monitor for a security release. If no patch is available, consider disabling the plugin or using a web application firewall to block malicious requests. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.