WP Visitor Statistics (Real Time Traffic) < 5.5 - Arbitrary IP Address Exclusion to Stored XSS
CVE-2021-25042

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Visitor Statistics (real Time Traffic)
Vendor: CVE Published:; 28 February 2022

Summary

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin

Affected Version(s)

WP Visitor Statistics (Real Time Traffic) 5.5

References

https://wpscan.com/vulnerability/05b9e478-2d3b-4460-88c1-...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 28, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

Krzysztof Zając