ID WPVDB-ID:FC822698-1F5A-4371-8C6E-2CA250C3C26DType wpvulndbReporter wpvulndbModified 2022-04-16T07:02:17
Description
The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP, browser and platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics
{"id": "WPVDB-ID:FC822698-1F5A-4371-8C6E-2CA250C3C26D", "vendorId": null, "type": "wpvulndb", "bulletinFamily": "software", "title": "WP Statistics < 13.1.6 - Multiple Unauthenticated Stored Cross-Site Scripting", "description": "The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP, browser and platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics\n", "published": "2022-02-17T00:00:00", "modified": "2022-04-16T07:02:17", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://wpscan.com/vulnerability/fc822698-1f5a-4371-8c6e-2ca250c3c26d", "reporter": "wpvulndb", "references": ["https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25305", "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25306", "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25307"], "cvelist": ["CVE-2022-25305", "CVE-2022-25306", "CVE-2022-25307"], "immutableFields": [], "lastseen": "2022-04-16T08:37:59", "viewCount": 10, "enchantments": {"backreferences": {"references": [{"type": "cve", "idList": ["CVE-2022-25305", "CVE-2022-25306", "CVE-2022-25307"]}]}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-25305", "CVE-2022-25306", "CVE-2022-25307"]}], "rev": 4}, "score": {"value": 4.7, "vector": "NONE"}, "vulnersScore": 4.7}, "_state": {"dependencies": 0}, "_internal": {}, "affectedSoftware": [{"version": "13.1.6", "operator": "lt", "name": "wp-statistics"}], "exploit": "", "sourceData": "", "generation": 0}
{"cve": [{"lastseen": "2022-03-23T10:28:09", "description": "The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-02-24T19:15:00", "type": "cve", "title": "CVE-2022-25307", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25307"], "modified": "2022-03-03T17:48:00", "cpe": ["cpe:/a:veronalabs:wp_statistics:13.1.5"], "id": "CVE-2022-25307", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25307", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:veronalabs:wp_statistics:13.1.5:*:*:*:*:wordpress:*:*"]}, {"lastseen": "2022-03-23T10:28:07", "description": "The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-02-24T19:15:00", "type": "cve", "title": "CVE-2022-25305", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25305"], "modified": "2022-03-03T17:52:00", "cpe": ["cpe:/a:veronalabs:wp_statistics:13.1.5"], "id": "CVE-2022-25305", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25305", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:veronalabs:wp_statistics:13.1.5:*:*:*:*:wordpress:*:*"]}, {"lastseen": "2022-03-23T10:28:08", "description": "The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-02-24T19:15:00", "type": "cve", "title": "CVE-2022-25306", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25306"], "modified": "2022-03-03T17:52:00", "cpe": ["cpe:/a:veronalabs:wp_statistics:13.1.5"], "id": "CVE-2022-25306", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25306", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:veronalabs:wp_statistics:13.1.5:*:*:*:*:wordpress:*:*"]}], "patchstack": [{"lastseen": "2022-04-20T19:33:04", "description": "Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability via 'platform' discovered by Muhammad Zeeshan (Xib3rR4dAr) in WordPress WP Statistics plugin (versions <= 13.1.5).\n\n## Solution\n\nUpdate the WordPress WP Statistics plugin to the latest available version (at least 13.1.6).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-02-17T00:00:00", "type": "patchstack", "title": "WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25307"], "modified": "2022-02-17T00:00:00", "id": "PATCHSTACK:21A2BCACA4E493EFE53FEFF65BBB3C40", "href": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-1-5-unauthenticated-stored-cross-site-scripting-xss-vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-20T19:33:05", "description": "Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability via 'IP' discovered by Muhammad Zeeshan (Xib3rR4dAr) in WordPress WP Statistics plugin (versions <= 13.1.5).\n\n## Solution\n\nUpdate the WordPress WP Statistics plugin to the latest available version (at least 13.1.6).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-02-17T00:00:00", "type": "patchstack", "title": "WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25305"], "modified": "2022-02-17T00:00:00", "id": "PATCHSTACK:86A65C0D462F9F886A968BE33DDCA003", "href": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-1-5-unauthenticated-stored-cross-site-scripting-xss-vulnerability-2", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-20T19:33:05", "description": "Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability via 'browser' discovered by Muhammad Zeeshan (Xib3rR4dAr) in WordPress WP Statistics plugin (versions <= 13.1.5).\n\n## Solution\n\nUpdate the WordPress WP Statistics plugin to the latest available version (at least 13.1.6).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-02-17T00:00:00", "type": "patchstack", "title": "WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25306"], "modified": "2022-02-17T00:00:00", "id": "PATCHSTACK:94AF51541BDAFCC4B0F708D600F2836F", "href": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-1-5-unauthenticated-stored-cross-site-scripting-xss-vulnerability-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
