Vulnerability Summary from Wordfence Intelligence
Description: Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Plugin: Slimstat Analytics
Plugin Slug: wp-slimstat
Affected Versions: <= 5.0.9
CVE ID: CVE-2023-4597
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Lana Codes
Fully Patched Version: 5.0.10
The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slimstat’ shortcode in versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Description: Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Blind SQL Injection via Shortcode
Affected Plugin: Slimstat Analytics
Plugin Slug: wp-slimstat
Affected Versions: <= 5.0.9
CVE ID: CVE-2023-4598
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Lana Codes
Fully Patched Version: 5.0.10
The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Technical Analysis
Slimstat Analytics is a WordPress website traffic analytics plugin that offers several features for analyzing and monitoring traffic. It provides a shortcode ([slimstat]) that displays various types of statistics when added to a WordPress page or post.
Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the shortcode has several types based on the ‘f’ parameter. In vulnerable versions, the ‘top-all’ type does not adequately sanitize the user-supplied ‘w’ attribute, and then fails to escape the ‘class’ output derived from the ‘w’ parameter when it displays the statistics. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘w’ attribute.
[View this code snippet on the blog.]
This makes it possible for threat actors with contributor-level access to a site to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.
Further examining the code, we also found a SQL Injection vulnerability within the same shortcode. Although the ‘w’ parameter will be converted into an array, it is not properly sanitized. This parameter is used for the column in the database query, and although the prepare function is used, the column is not specified as a placeholder, which makes it possible for an attacker to perform SQL injection attacks.
[View this code snippet on the blog.]
Since no data from the SQL query was returned in the response, an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.
Disclosure Timeline
August 24, 2023 – Wordfence Threat Intelligence team discovers the stored XSS and SQL Injection vulnerabilities in Slimstat Analytics.
August 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
August 26, 2023 – The vendor confirms the inbox for handling the discussion.
August 26, 2023 – We send over the full disclosure details for the XSS vulnerability.
August 27, 2023 – We send over the full disclosure details for the SQL injection vulnerability.
August 27, 2023 – The vendor acknowledges the report and begins working on a fix.
August 28, 2023 – The fully patched version, 5.0.10, is released.
Conclusion
In this blog post, we have detailed stored XSS and SQL Injection vulnerabilities within the Slimstat Analytics plugin affecting versions 5.0.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page, and extract sensitive information from a database. These vulnerabilities have been fully addressed in version 5.0.10 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Slimstat Analytics.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
