Veronalabs: >> Wp Statistics >> 13.1.6 Security Vulnerabilities
The WP Statistics WordPress plugin before 14.0 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-03-27
SQL Injection vulnerability in VeronaLabs WP Statistics pluginĀ <= 13.2.10 versions.
CVSS Score
9.9
EPSS Score
0.004
Published
2023-03-13
The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.
CVSS Score
8.8
EPSS Score
0.163
Published
2023-01-23
Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-06-13
The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters
CVSS Score
6.1
EPSS Score
0.004
Published
2022-06-08