CVE-2015-10001

MEDIUM

WP-Stats < 2.52 - Cross-Site Request Forgery and Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Description

The WP-Stats WordPress plugin before 2.52 does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads

References (2)

Core 2
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2015/06/17/6

Scores

CVSS v3 4.3
EPSS 0.0049
EPSS Percentile 38.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE
CWE-352
Status published
Products (1)
wp-stats_project/wp-stats < 2.52
Published Nov 01, 2021
Tracked Since Feb 18, 2026