XSS and SQLi Vulnerabilities in Slimstat Analytics Plugin

On August 24, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) and a Blind SQL Injection vulnerability in the Slimstat Analytics plugin, which is actively installed on more than 100,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages or execute SQL queries by appending them to an existing SQL query using the plugin’s shortcode.

We urge users to update their sites with the latest patched version of Slimstat Analytics, version 5.0.10 at the time of this writing, as soon as possible.

Vulnerabilities:

  1. Stored Cross-Site Scripting (XSS):
    • Affected Plugin: Slimstat Analytics
    • CVE ID: CVE-2023-4597
    • Description: Authenticated attackers with contributor-level access could inject harmful scripts into pages.
  2. Blind SQL Injection:
    • Affected Plugin: Slimstat Analytics
    • CVE ID: CVE-2023-4598
    • Description: Authenticated attackers with contributor-level access could execute SQL queries, potentially extracting sensitive data from the database.

Disclosure Timeline:

  • August 24, 2023: Vulnerabilities discovered.
  • August 28, 2023: Patch (version 5.0.10) released.