CVE-2022-1005

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 43.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown WP Statistics Veronalabs WP Statistics

Timeline

PublishedJun 8

Latest updateJun 9

Description

The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/wp_statistics13.2.2 — 13.2.2

▶NVDveronalabs/wp_statistics< 13.2.2

🔴Vulnerability Details

GHSA

GHSA-wg9r-22jj-fhcq: The WP Statistics WordPress plugin before 13↗2022-06-09

▶

CVEList

WP Statistics < 13.2.2 - Reflected Cross-Site Scripting↗2022-06-06

▶