CVE-2015-10001
MEDIUMWP-Stats < 2.52 - Cross-Site Request Forgery and Stored Cross-Site Scripting
Title source: llmDescription
The WP-Stats WordPress plugin before 2.52 does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/f5c3dfea-7203-4a98-88ff-aa6a24d03734
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2015/06/17/6
Scores
CVSS v3
4.3
EPSS
0.0049
EPSS Percentile
38.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Details
CWE
CWE-352
Status
published
Products (1)
wp-stats_project/wp-stats
< 2.52
Published
Nov 01, 2021
Tracked Since
Feb 18, 2026