Slimstat: Stored XSS from Visitors

Slimstat: Stored XSS from Visitors

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics.

Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator dashboard.


  • 2019/05/16: Initial disclosure
  • 2019/05/20: Patch released (4.8.1)
  • 2019/05/21: Blog post released


This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Continue reading Slimstat: Stored XSS from Visitors at Sucuri Blog.

Read more: Slimstat: Stored XSS from Visitors

Story added 21. May 2019, content source with full text you can find at link above.