- The vulnerability can allow an attacker to inject arbitrary JavaScript code on the plugin access log.
- Versions prior to 4.8.1 of the Slimstat plugin are affected by the XSS vulnerability.
The WordPress Slimstat plugin, which has currently over 100k installs, has been found to be impacted by Cross-Site Scripting (XSS) vulnerability. The vulnerability can allow an attacker to inject arbitrary JavaScript code on the plugin access log.
About Slimstat plugin
The Slimstat plugin allows the owner to gather analytics data for a WordPress website. It helps the owner to keep track of certain information such as the browser and operating system details. The plugin also monitors the pages visited by outsiders to optimize the website analytics.
What is the flaw?
Versions prior to 4.8.1 of the Slimstat plugin are affected by the XSS vulnerability.
According to the researchers from Sucuri, “This vulnerability allows a visitor to inject arbitrary JavaScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.”
Once the attackers gain control of access log, they can see the details of the users accessing the website. The details include IP address, operating system, browser, and other installed plugins.
“These are found by an analytics client-side script which fingerprints the client information and then performs a request to the plugin while giving out its own properties,” added the researchers.
How to stay safe?
Those using the vulnerable versions of the plugin have been instructed to update their systems as soon as possible.
To read the original article:https://cyware.com/news/slimstat-wordpress-plugin-found-to-be-affected-by-xss-vulnerability-d170533a