CVE-2023-5653 – WassUp Real Time Analytics <= 1.9.4.5 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2023-5653
The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins El complemento WassUp Real Time Analytics de WordPress hasta la versión 1.9.4.5 no escapa a la dirección IP proporcionada a través de algunos encabezados antes de enviarlos nuevamente a una página de administración, lo que permite a los usuarios no autenticados realizar ataques XSS Almacenados contra administradores que hayan iniciado sesión. The WassUp Real Time Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via spoofed IP Addresses in all versions up to, and including, 1.9.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. • https://wpscan.com/vulnerability/76316621-1987-44ea-83e5-6ca884bdd1c0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10919 – WassUp Real Time Analytics < 1.9.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-10919
The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats widget or the wassupURI::add_siteurl method, a different vulnerability than CVE-2012-2633. El plugin wassup versiones anteriores a 1.9.1 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del widget Top stats o el método wassupURI::add_siteurl, una vulnerabilidad diferente de CVE-2012-2633. • https://wordpress.org/plugins/wassup/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •