NewStatPress <= 1.0.4 - Reflected Cross-Site Scripting (XSS)

The NewStatPress plugin utilizes on lines 28 and 31 of the file ‘includes/nsp_search.php’ several variables from the $_GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger a Reflected XSS attack.

PoC

The following URL will trigger an alert box in FireFox when visited, should the user be logged in as an Administrative user. http://localhost/wp-admin/admin.php?groupby1=checked><img+src%3Dx+onerror%3Dalert(1)&amp;page;=nsp_search&amp;newstatpress;_action=search