cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-2194,https://securityvulnerability.io/vulnerability/CVE-2024-2194,Stored Cross-Site Scripting Vulnerability in WP Statistics Plugin,"The WP Statistics plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability that affects all versions up to and including 14.5. This issue arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts via the URL search parameter. When a user accesses an affected page, these scripts can execute, potentially compromising user data and system integrity. Website administrators using this plugin should prioritize updates to ensure a secure environment.",Wordpress,WP Statistics,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-13T15:27:20.750Z,0
CVE-2023-0600,https://securityvulnerability.io/vulnerability/CVE-2023-0600,WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi,"The WP Visitor Statistics (Real Time Traffic) plugin for WordPress, prior to version 6.9, is vulnerable to SQL Injection due to inadequate input sanitization. This flaw enables unauthenticated users to manipulate SQL queries, potentially gaining unauthorized access to sensitive data or compromising the integrity of the database. Proper input validation is essential to mitigate the risks associated with such vulnerabilities.",Wordpress,WP Visitor Statistics (real Time Traffic),9.8,CRITICAL,0.11913999915122986,false,,false,false,true,true,false,false,2023-05-15T13:15:00.000Z,0
CVE-2023-0955,https://securityvulnerability.io/vulnerability/CVE-2023-0955,WP Statistics < 14.0 - Authenticated SQLi,"The WP Statistics plugin for WordPress, prior to version 14.0, has a vulnerability that allows authenticated users to exploit unsanitized input parameters to execute SQL Injection attacks. Although the feature is primarily accessible to users with administrative privileges (manage_options capability), settings within the plugin permit lower-privileged users to access it, thereby expanding the attack surface. This vulnerability emphasizes the importance of validating and sanitizing user inputs to prevent unauthorized data manipulation.",Wordpress,WP Statistics,8.8,HIGH,0.0011399999493733048,false,,false,false,false,,false,false,2023-03-27T16:15:00.000Z,0
CVE-2021-4333,https://securityvulnerability.io/vulnerability/CVE-2021-4333,Cross-Site Request Forgery Vulnerability in WP Statistics Plugin for WordPress,"The WP Statistics plugin for WordPress exhibits a Cross-Site Request Forgery vulnerability in versions up to 13.1.1 due to inadequate nonce validation in the view() function. This flaw allows unauthenticated attackers to execute actions, such as activating or deactivating plugins, by tricking site administrators into clicking malicious links, thereby gaining unauthorized access and control over the site.",Wordpress,WP Statistics,6.5,MEDIUM,0.0006699999794363976,false,,false,false,false,,false,false,2023-03-07T14:53:37.979Z,0
CVE-2022-4656,https://securityvulnerability.io/vulnerability/CVE-2022-4656,WP Visitor Statistics (Real Time Traffic) < 6.5 - Contributor+ Stored XSS via Shortcode,"The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.5 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.",Wordpress,WP Visitor Statistics (real Time Traffic),5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2023-02-13T14:32:19.074Z,0
CVE-2022-4230,https://securityvulnerability.io/vulnerability/CVE-2022-4230,WP Statistics < 13.2.9 - Authenticated SQLi,"The WP Statistics plugin for WordPress, prior to version 13.2.9, is vulnerable to SQL Injection due to improper escaping of a parameter. This vulnerability allows authenticated users to exploit the affected feature. By default, this feature is restricted to users with the manage_options capability (typically administrators); however, it can also be configured to be accessible to lower-privileged users, thereby increasing the risk of unauthorized database access and manipulation. This flaw highlights the importance of keeping WordPress plugins up-to-date and following security best practices to mitigate potential threats.",Wordpress,WP Statistics,8.8,HIGH,0.0011399999493733048,false,,false,false,false,,false,false,2023-01-23T14:31:43.539Z,0
CVE-2022-33965,https://securityvulnerability.io/vulnerability/CVE-2022-33965,WordPress WP Visitor Statistics plugin <= 5.7 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities,Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plugin <= 5.7 at WordPress.,Wordpress,WP Visitor Statistics (WordPress Plugin),9.3,CRITICAL,0.0210999995470047,false,,false,false,false,,false,false,2022-07-25T15:15:00.000Z,0
CVE-2022-1005,https://securityvulnerability.io/vulnerability/CVE-2022-1005,WP Statistics < 13.2.2 - Reflected Cross-Site Scripting,"The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters",Wordpress,WP Statistics,6.1,MEDIUM,0.0006300000241026282,false,,false,false,false,,false,false,2022-06-08T10:15:00.000Z,0
CVE-2022-0410,https://securityvulnerability.io/vulnerability/CVE-2022-0410,WP Visitor Statistics (Real Time Traffic) < 5.6 - Subscriber+ SQL Injection,"The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.6 does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection",Wordpress,WP Visitor Statistics (real Time Traffic),8.8,HIGH,0.001120000029914081,false,,false,false,false,,false,false,2022-03-07T08:16:31.000Z,0
CVE-2021-25042,https://securityvulnerability.io/vulnerability/CVE-2021-25042,WP Visitor Statistics (Real Time Traffic) < 5.5 - Arbitrary IP Address Exclusion to Stored XSS,"The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin",Wordpress,WP Visitor Statistics (real Time Traffic),5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2022-02-28T09:06:33.000Z,0
CVE-2022-25307,https://securityvulnerability.io/vulnerability/CVE-2022-25307,WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via platform,"The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.",Wordpress,WP Statistics,7.2,HIGH,0.0008500000112690032,false,,false,false,false,,false,false,2022-02-24T18:27:12.000Z,0
CVE-2022-25305,https://securityvulnerability.io/vulnerability/CVE-2022-25305,WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via IP,"The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.",Wordpress,WP Statistics,7.2,HIGH,0.0008500000112690032,false,,false,false,false,,false,false,2022-02-24T18:27:11.000Z,0
CVE-2022-25306,https://securityvulnerability.io/vulnerability/CVE-2022-25306,WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via browser,"The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.",Wordpress,WP Statistics,7.2,HIGH,0.0008500000112690032,false,,false,false,false,,false,false,2022-02-24T18:27:09.000Z,0
CVE-2022-25149,https://securityvulnerability.io/vulnerability/CVE-2022-25149,WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via IP,"The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.",Wordpress,WP Statistics,9.8,CRITICAL,0.500029981136322,false,,false,false,false,,false,false,2022-02-24T18:27:08.000Z,0
CVE-2022-0651,https://securityvulnerability.io/vulnerability/CVE-2022-0651,WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via current_page_type,"The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.",Wordpress,WP Statistics,9.8,CRITICAL,0.500029981136322,false,,false,false,false,,false,false,2022-02-24T18:27:07.000Z,0
CVE-2022-25148,https://securityvulnerability.io/vulnerability/CVE-2022-25148,WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via current_page_id,"The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.",Wordpress,WP Statistics,9.8,CRITICAL,0.12052000313997269,false,,false,false,false,,false,false,2022-02-24T00:00:00.000Z,0
CVE-2022-0513,https://securityvulnerability.io/vulnerability/CVE-2022-0513,WP Statistics <= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason,"The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the ""Record Exclusions"" option to be enabled on the vulnerable site.",Wordpress,WP Statistics,9.8,CRITICAL,0.001990000018849969,false,,false,false,false,,false,false,2022-02-16T16:38:03.000Z,0
CVE-2021-24750,https://securityvulnerability.io/vulnerability/CVE-2021-24750,WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection,"The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks",Wordpress,WP Visitor Statistics (real Time Traffic),8.8,HIGH,0.6737300157546997,false,,false,false,true,true,false,false,2021-12-21T08:45:29.000Z,0
CVE-2021-24340,https://securityvulnerability.io/vulnerability/CVE-2021-24340,WP Statistics < 13.0.8 - Unauthenticated SQL Injection,"The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.",Wordpress,WP Statistics,7.5,HIGH,0.030719999223947525,false,,false,false,false,,false,false,2021-06-07T10:49:50.000Z,0
CVE-2017-18515,https://securityvulnerability.io/vulnerability/CVE-2017-18515,,The wp-statistics plugin before 12.0.8 for WordPress has SQL injection.,Wordpress,WP Statistics,9.8,CRITICAL,0.0016400000313296914,false,,false,false,false,,false,false,2019-08-14T13:27:13.000Z,0
CVE-2019-13275,https://securityvulnerability.io/vulnerability/CVE-2019-13275,,"An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. The v1/hit endpoint of the API, when the non-default ""use cache plugin"" setting is enabled, is vulnerable to unauthenticated blind SQL Injection.",Wordpress,WP Statistics,9.8,CRITICAL,0.005410000216215849,false,,false,false,false,,false,false,2019-07-04T18:51:22.000Z,0
CVE-2019-12566,https://securityvulnerability.io/vulnerability/CVE-2019-12566,,"The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.",Wordpress,WP Statistics,5.4,MEDIUM,0.0005799999926239252,false,,false,false,false,,false,false,2019-06-03T00:29:00.000Z,0
CVE-2019-10864,https://securityvulnerability.io/vulnerability/CVE-2019-10864,,"The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request.",Wordpress,WP Statistics,6.1,MEDIUM,0.0009200000204145908,false,,false,false,false,,false,false,2019-04-23T17:42:48.000Z,0
CVE-2018-1000556,https://securityvulnerability.io/vulnerability/CVE-2018-1000556,,WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. .,Wordpress,WP Statistics,6.1,MEDIUM,0.0012799999676644802,false,,false,false,false,,false,false,2018-06-26T16:00:00.000Z,0
CVE-2017-10991,https://securityvulnerability.io/vulnerability/CVE-2017-10991,,The WP Statistics plugin through 12.0.9 for WordPress has XSS in the rangestart and rangeend parameters on the wps_referrers_page page.,Wordpress,WP Statistics,6.1,MEDIUM,0.0008900000248104334,false,,false,false,false,,false,false,2017-07-07T14:29:00.000Z,0