<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Wp-Statistics - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/wp-statistics/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 26 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/wp-statistics/feed.xml" rel="self" type="application/rss+xml"/><item><title>WP Statistics Plugin Stored XSS Vulnerability (CVE-2026-5231)</title><link>https://feed.craftedsignal.io/briefs/2024-01-26-wp-statistics-xss/</link><pubDate>Fri, 26 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-26-wp-statistics-xss/</guid><description>The WP Statistics WordPress plugin is vulnerable to stored cross-site scripting (XSS) via the 'utm_source' parameter, allowing unauthenticated attackers to inject arbitrary web scripts into admin pages.</description><content:encoded><![CDATA[<p>The WP Statistics plugin for WordPress, versions up to and including 14.16.4, is susceptible to a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5231. This flaw stems from inadequate input sanitization and output escaping of the 'utm_source' parameter. The vulnerability is triggered because the plugin's referral parser copies the unsanitized 'utm_source' value directly into the 'source_name' field when a wildcard channel domain matches. Subsequently, the chart renderer uses this value in the legend markup via innerHTML without proper escaping. This allows unauthenticated attackers to inject malicious JavaScript code, which executes within the context of an administrator's browser when they access the Referrals Overview or Social Media analytics pages within the WordPress admin panel. This poses a significant risk to the confidentiality and integrity of the WordPress site.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious URL containing a JavaScript payload within the <code>utm_source</code> parameter.</li>
<li>A user visits the website using the malicious URL, triggering the WP Statistics plugin's referral parser.</li>
<li>The plugin's referral parser processes the URL and copies the unsanitized <code>utm_source</code> value, including the injected JavaScript, into the <code>source_name</code> field in the database.</li>
<li>An administrator logs into the WordPress admin panel.</li>
<li>The administrator navigates to the Referrals Overview or Social Media analytics pages, which utilize the WP Statistics plugin's chart renderer.</li>
<li>The chart renderer retrieves the <code>source_name</code> field from the database, which contains the injected JavaScript.</li>
<li>The chart renderer inserts the malicious JavaScript into the legend markup via innerHTML without proper escaping.</li>
<li>The administrator's browser executes the injected JavaScript, potentially allowing the attacker to perform actions such as stealing administrator cookies, modifying website content, or redirecting the administrator to a malicious website.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an administrator's browser. This could lead to complete compromise of the WordPress website, including unauthorized access to sensitive data, modification of website content, and installation of malicious plugins or themes. The impact is significant due to the widespread use of the WP Statistics plugin and the potential for attackers to gain complete control over affected websites. While no specific victim numbers are available, the large user base of WordPress suggests a potentially broad impact across various sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the latest patch or upgrade to a version of the WP Statistics plugin that addresses CVE-2026-5231 to remediate the vulnerability.</li>
<li>Deploy the provided Sigma rule <code>Detect Suspicious utm_source Parameter</code> to identify potential exploitation attempts targeting the <code>utm_source</code> parameter in web server logs.</li>
<li>Implement input validation and output escaping mechanisms within the WP Statistics plugin to prevent similar XSS vulnerabilities in the future.</li>
<li>Monitor web server logs for requests containing suspicious characters or patterns within the <code>utm_source</code> parameter, as highlighted in the Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>wordpress</category><category>xss</category><category>cve-2026-5231</category><category>wp-statistics</category></item></channel></rss>