A new reflected XSS vulnerability has been found in popular WordPress plugin WP Statistics version <=220.127.116.11 within days of discovery of SQL injection vulnerability in the same plugin by Sucuri which was patched immediately.
According to the Dewhurst blog, the ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link.
Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) .
Source: On line 28 of the includes/log/last-visitor.php file, the $_GET[‘ip’] is placed within the $_get variable.
Sink: On line 74 of the includes/log/last-visitor.php file, the $_get variable is output in the PHP echo() function.
Visit the given below link in the Firefox browser:
where put the name of the website you are testing in the above URL replacing mywordpress.com.
Then a fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site.
Pass the $_get variable through WordPress esc_attr() function. For example: $_get = esc_attr($_get);
Update the version to 12.0.9