WP Statistics Stored Cross-Site Scripting Vulnerability via 'utm_source' Parameter

A stored cross-site scripting vulnerability has been identified in the WP Statistics plugin for WordPress, affecting all versions through 14.16.4. The issue arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary scripts. The vulnerability is triggered when the 'utm_source' parameter is processed by the plugin's referral parser, which transfers the raw value into the source_name field. This value is later rendered in the chart legend using innerHTML, creating an opportunity for script execution on admin pages, particularly the Referrals Overview and Social Media analytics pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the affected admin pages.

Reproduction

To reproduce this vulnerability, send a request to a WordPress site with the WP Statistics plugin installed, using a 'utm_source' parameter that includes a script payload. The referral parser will copy this value into the source_name field without proper sanitization. Once the payload is injected, it will be executed when an administrator accesses the Referrals Overview or Social Media analytics pages.

Remediation

Users are advised to update the WP Statistics plugin to version 14.16.5 or later, where this vulnerability has been patched.