Slimstat: Stored XSS from Visitors
The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics.
Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator dashboard.
- 2019/05/16: Initial disclosure
- 2019/05/20: Patch released (4.8.1)
- 2019/05/21: Blog post released
This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.