CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2194 – WP Statistics <= 14.5 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-2194
11 Mar 2024 — The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WP Statistics para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro de búsqueda de URL en toda... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3047756%40wp-statistics&new=3047756%40wp-statistics&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0955 – WP Statistics < 14.0 - Authenticated SQLi
https://notcve.org/view.php?id=CVE-2023-0955
06 Mar 2023 — The WP Statistics WordPress plugin before 14.0 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well. The WP Statistics plugin for WordPress is vulnerable to SQL Injection via the $days_time_list value in versions up to, and including, 13.2.16 due to insufficient escaping on the u... • https://wpscan.com/vulnerability/18b7e93f-b038-4f28-918b-4015d62f0eb8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38074 – WordPress WP Statistics Plugin <= 13.2.10 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2022-38074
31 Jan 2023 — SQL Injection vulnerability in VeronaLabs WP Statistics plugin <= 13.2.10 versions. The WP Statistics plugin for WordPress is vulnerable to SQL Injection via the ‘limit’ parameter in versions up to, and including, 13.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for subscriber-level attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information f... • https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-2-10-multiple-authenticated-sql-injection-vulnerabilities?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4230 – WP Statistics < 13.2.9 - Authenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4230
27 Dec 2022 — The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well. Las versiones del complemento WP Statistics de WordPress anteriores a la 13.2.9 no escapan uno de los parámetros, lo que podría permitir a usuarios autenticados realizar ataques... • https://wpscan.com/vulnerability/a0e40cfd-b217-481c-8fc4-027a0a023312 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27231 – WP Statistics <= 13.1.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-27231
24 May 2022 — Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product. Se presenta una vulnerabilidad de tipo cross-site scripting en WP Statistics versiones anteriores a 13.2.0, porque procesa inapropiadamente un parámetro de plataforma. Al explotar esta vulnerabilidad, puede ejecutarse un ... • https://jvn.jp/en/jp/JVN15241647/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1005 – WP Statistics < 13.2.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1005
11 May 2022 — The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters El plugin WP Statistics de WordPress versiones anteriores a 13.2.2, no sanea el parámetro REQUEST_URI antes de devolverlo a la página, lo que conlleva problemas de tipo Cross-Site Scripting (XSS) en los navegadores que no codifican los caracteres • https://wpscan.com/vulnerability/f37d1d55-10cc-4202-8d16-9ec2128f54f9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25307 – WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via platform
https://notcve.org/view.php?id=CVE-2022-25307
17 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting debido a un escape y saneo insuficientes... • https://gist.github.com/Xib3rR4dAr/8090a6d026d4601083cff80aa80de7eb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 3CVE-2022-25148 – WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via current_page_id
https://notcve.org/view.php?id=CVE-2022-25148
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a una inyección SQL debido a un escape y parametrización insuficientes del parámetro current_page_id en... • https://www.exploit-db.com/exploits/51711 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25305 – WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via IP
https://notcve.org/view.php?id=CVE-2022-25305
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting debido a un escape y saneo insuficientes del par... • https://gist.github.com/Xib3rR4dAr/af90cef7867583ab2de4cccea2a8c87d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25306 – WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via browser
https://notcve.org/view.php?id=CVE-2022-25306
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting debido a un escape y saneo insuficient... • https://gist.github.com/Xib3rR4dAr/89fc87ea1d62348c21c99fc11a3bfd88 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •