A new reflected XSS vulnerability has been found in popular WordPress plugin WP Statistics version <= within days of discovery of SQL injection vulnerability in the same plugin by Sucuri which was patched immediately.

According to the Dewhurst blog, the ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link.

Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) .

Technical Description

Source: On line 28 of the includes/log/last-visitor.php file, the $_GET[‘ip’] is placed within the $_get variable.

Sink: On line 74 of the includes/log/last-visitor.php file, the $_get variable is output in the PHP echo() function.



Visit the given below link  in the Firefox browser:

where put the name of the website you are testing in the above URL replacing

Then a fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site.


Pass the $_get variable through WordPress  esc_attr() function. For example: $_get = esc_attr($_get);

Update the version to 12.0.9

Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s