The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
As admin, put the following payload in the “Provide your IP-API Pro key”, “Memcached Server Host”, “Set the realtime script refresh inverval” or “Memcached Server Port” settings and save: "autofocus onfocus=alert(/XSS/)// (Note: for settings expecting an integer, change the type=number to type=text with the browser inspector to be able to put the payload)
CPE | Name | Operator | Version |
---|---|---|---|
wp-server-stats | lt | 1.7.0 |