Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormFurkan OzerPACKETSTORM:177052
HistoryFeb 09, 2024 - 12:00 a.m.

Advanced Page Visit Counter 1.0 Cross Site Scripting

2024-02-0900:00:00
Furkan Ozer
packetstormsecurity.com
101
wordpress
analytics
plugin
cross-site scripting
vulnerability
stored
xss
website
tracking
data privacy
security

7.4 High

AI Score

Confidence

Low

JSON
`# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site  
Scripting (XSS) (Authenticated)  
# Date: 11.10.2023  
# Exploit Author: Furkan ร–ZER  
# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/  
# Version: 8.0.5  
# Tested on: Kali-Linux,Windows10,Windows 11  
# CVE: N/A  
  
  
# Description:  
Advanced Page Visit Counter is a remarkable Google Analytics alternative  
specifically designed for WordPress websites, and it has quickly become a  
must-have plugin for website owners and administrators seeking powerful  
tracking and analytical capabilities. With the recent addition of Enhanced  
eCommerce Tracking for WooCommerce, this plugin has become even more  
indispensable for online store owners.  
  
Homepage | Support | Premium Version  
  
If youโ€™re in search of a GDPR-friendly website analytics plugin exclusively  
designed for WordPress, look no further than Advanced Page Visit Counter.  
This exceptional plugin offers a compelling alternative to Google Analytics  
and is definitely worth a try for those seeking enhanced data privacy  
compliance.  
  
This is a free plugin and doesnโ€™t require you to create an account on  
another site. All features outlined below are included in the free plugin.  
  
Description of the owner of the plugin Stored Cross-Site Scripting attack  
against the administrators or the other authenticated users.  
  
The plugin does not sanitise and escape some of its settings, which could  
allow high privilege users such as admin to perform Stored Cross-Site  
Scripting attacks even when the unfiltered_html capability is disallowed  
(for example in multisite setup)  
  
The details of the discovery are given below.  
  
# Steps To Reproduce:  
1. Install and activate the Advanced Page Visit Counter plugin.  
2. Visit the "Settings" interface available in settings page of the plugin  
that is named "Widget Settings"  
3. In the plugin's "Today's Count Label" setting field, enter the payload  
Payload: " "type=image src=1 onerror=alert(document.cookie)> "  
6. Click the "Save Changes" button.  
7. The XSS will be triggered on the settings page when every visit of an  
authenticated user.  
  
  
# Video Link  
https://youtu.be/zcfciGZLriM  
  
`

7.4 High

AI Score

Confidence

Low

JSON