StatCounter WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the StatCounter - Free Real Time Visitor Stats plugin for WordPress, affecting versions through 2.1.1. The issue arises from inadequate output escaping of the post author's nickname in the 'statcounter_addToTags' function, which is executed on every post page. This vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary scripts that are executed when users, including unauthenticated visitors, access the affected posts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the post.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access must inject a script into the post author's nickname. This can be done by accessing the WordPress profile and adding a script tag to the nickname field. Once the nickname is saved, the 'statcounter_addToTags' function will execute on the next post view, running the injected script in the user's browser.

Remediation

Users are advised to update the StatCounter WordPress Plugin to version 2.1.2 or later.