CVE-2019-12566: XSS
First published: Sun Jun 02 2019(Updated: )
The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WP Statistics | <=12.6.5 |
Remedy
https://github.com/wp-statistics/wp-statistics/commit/aec4359975344f75385ae1ec257575d8131d6ec2
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-12566?
CVE-2019-12566 has a medium severity rating due to the potential for stored XSS attacks.
How do I fix CVE-2019-12566?
To fix CVE-2019-12566, update the WP Statistics plugin to version 12.6.6 or later.
Who is affected by CVE-2019-12566?
CVE-2019-12566 affects users of the WP Statistics plugin for Wordpress versions up to and including 12.6.5.
What exploits are possible with CVE-2019-12566?
CVE-2019-12566 allows an attacker to execute malicious JavaScript in the context of an admin user via a post title.
Is CVE-2019-12566 a common vulnerability?
CVE-2019-12566 is noteworthy due to its impact on widely used Wordpress installations with the WP Statistics plugin.
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/veronalabs
- canonical/wp statistics
- version/wp statistics/12.6.5