A new reflected XSS vulnerability has been found in popular WordPress plugin WP Statistics version <=184.108.40.206 within days of discovery of SQL injection vulnerability in the same plugin by Sucuri which was patched immediately.
According to the Dewhurst blog, the ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link.
Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) .
Source: On line 28 of the includes/log/last-visitor.php file, the $_GET[‘ip’] is placed within the $_get variable.
Sink: On line 74 of the includes/log/last-visitor.php file, the $_get variable is output in the PHP echo() function.
Visit the given below link in the Firefox browser:
where put the name of the website you are testing in the above URL replacing mywordpress.com.
Then a fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site.
Pass the $_get variable through WordPress esc_attr() function. For example: $_get = esc_attr($_get);
Update the version to 12.0.9