[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsJENBxM1vTjK1tO_TmSlvRWEK7uCpDT49xiJdE47KiA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-69323","slimstat-analytics-reflected-cross-site-scripting","Slimstat Analytics \u003C= 5.3.2 - Reflected Cross-Site Scripting","The Slimstat Analytics plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","wp-slimstat",null,"\u003C=5.3.2","5.3.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-27 00:00:00","2026-02-02 16:36:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F25de953d-e8c4-4ac7-ae6c-d8262bb083cd?source=api-prod",7,[22,23,24,25,26,27,28,29],"CHANGELOG.md","admin\u002Fview\u002Findex.php","admin\u002Fview\u002Fright-now.php","admin\u002Fview\u002Fwp-slimstat-db.php","admin\u002Fview\u002Fwp-slimstat-reports.php","languages\u002Fwp-slimstat.pot","readme.txt","vendor\u002Fcomposer\u002Fautoload_static.php","researched",false,3," refresh), then a nonce is needed.\n The Reflected XSS is \"in pages that execute if they can successfully trick a user... clicking on a link\". This strongly suggests the main page load, not just an AJAX fragment.\n\n * *Let's assume no nonce is needed for the initial reflection.*\n\n * *One more thing:* `wp_slimstat_db::$debug_message`.\n Where is it populated?\n If I look at `wp-slimstat-db.php` in other Slimstat versions:\n ```php\n public static function init( $_filters = '' ) {\n ...\n if ( ! empty( $_filters ) ) {\n $filters_array = explode( '&&&', $_filters );\n foreach ( $filters_array as $filter ) {\n $bits = explode( ' ', $filter );\n if ( count( $bits ) \u003C 3 ) {\n self::$debug_message .= \"Invalid filter: $filter\"; \u002F\u002F SINK!\n continue;\n }\n ...\n }\n }\n }\n ```\n This is perfect. If `fs` contains something that doesn't have 3 parts (e.g., no spaces), it's reflected.\n\n * *Test:* `?page=slimview1&fs=\u003Cscript>alert(1)\u003C\u002Fscript>`\n The `explode(' ', '\u003Cscript>alert(1)\u003C\u002Fscript>')` will result in an array of","The Slimstat Analytics plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping in several report views. Unauthenticated attackers can exploit this by tricking an administrator into clicking a link containing a malicious payload, which is then reflected in the page header or debug messages, allowing for arbitrary script execution.","\u002F\u002F admin\u002Fview\u002Findex.php line 12\n\u003Ch2>\u003C?php echo wp_slimstat_admin::$screens_info[$_GET['page']]['title'] ?>\u003C\u002Fh2>\n\n---\n\n\u002F\u002F admin\u002Fview\u002Fright-now.php line 57\n\u002F\u002F Echo the debug message\necho wp_slimstat_db::$debug_message;\n\n---\n\n\u002F\u002F admin\u002Fview\u002Fwp-slimstat-db.php line 147\n\u002F\u002F Fields and drop downs\nif (!empty($_POST['f']) && !empty($_POST['o'])) {\n $filters_array[htmlspecialchars($_POST['f'])] = sprintf('%s %s ', $_POST[ 'f' ], $_POST[ 'o' ]) . ($_POST['v'] ?? '');\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.2\u002Fadmin\u002Fview\u002Findex.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Findex.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.2\u002Fadmin\u002Fview\u002Findex.php\t2025-08-25 08:38:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Findex.php\t2025-12-17 11:24:04.000000000 +0000\n@@ -9,7 +9,7 @@\n \n \u003Cdiv class=\"backdrop-container\">\n \u003Cdiv class=\"wrap slimstat\">\n- \u003Ch2>\u003C?php echo wp_slimstat_admin::$screens_info[$_GET['page']]['title'] ?>\u003C\u002Fh2>\n+ \u003Ch2>\u003C?php echo isset($_GET['page']) && isset(wp_slimstat_admin::$screens_info[sanitize_key($_GET['page'])]) ? esc_html(wp_slimstat_admin::$screens_info[sanitize_key($_GET['page'])]['title']) : '' ?>\u003C\u002Fh2>\n \n \u003Cdiv class=\"notice slimstat-notice slimstat-tooltip-content\" style=\"background-color:#ffa;border:0;padding:10px\">\u003C?php _e('\u003Cstrong>AdBlock browser extension detected\u003C\u002Fstrong> - If you see this notice, it means that your browser is not loading our stylesheet and\u002For Javascript files correctly. This could be caused by an overzealous ad blocker feature enabled in your browser (AdBlock Plus and friends). \u003Ca href=\"https:\u002F\u002Fwp-slimstat.com\u002Fresources\u002Fthe-reports-are-not-being-rendered-correctly-or-buttons-do-not-work\" target=\"_blank\">Please make sure to add an exception\u003C\u002Fa> to your configuration and allow the browser to load these assets.', 'wp-slimstat'); ?>\u003C\u002Fdiv>\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.2\u002Fadmin\u002Fview\u002Fright-now.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Fright-now.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.2\u002Fadmin\u002Fview\u002Fright-now.php\t2025-08-25 08:38:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Fright-now.php\t2025-12-17 11:24:04.000000000 +0000\n@@ -251,7 +251,8 @@\n \u002F\u002F Pageview Notes\n $notes = '';\n if (is_admin() && !empty($results[$i]['notes'])) {\n- $notes = str_replace(['][', ':', '[', ']'], ['\u003Cbr\u002F>', ': ', '', ''], $results[$i]['notes']);\n+ $notes = esc_html($results[$i]['notes']);\n+ $notes = str_replace(['][', ':', '[', ']'], ['\u003Cbr\u002F>', ': ', '', ''], $notes);\n $notes = sprintf(\"\u003Ci class='slimstat-font-edit slimstat-tooltip-trigger'>\u003Cb class='slimstat-tooltip-content'>%s\u003C\u002Fb>\u003C\u002Fi>\", $notes);\n }\n \n@@ -264,15 +265,15 @@\n if (!$is_dashboard) {\n $domain = parse_url($results[$i]['referer'] ?: '');\n $domain = empty($domain['host']) ? __('Invalid Referrer', 'wp-slimstat') : $domain['host'];\n- $results[$i]['referer'] = (!empty($results[$i]['referer']) && empty($results[$i]['searchterms'])) ? \"\u003Ca class='spaced slimstat-font-login slimstat-tooltip-trigger' target='_blank' title='\" . htmlentities(__('Open this referrer in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . sprintf(\"' href='%s'>\u003C\u002Fa> %s\", $results[$i]['referer'], $domain) : '';\n- $results[$i]['content_type'] = empty($results[$i]['content_type']) ? '' : \"\u003Ci class='spaced slimstat-font-doc slimstat-tooltip-trigger' title='\" . __('Content Type', 'wp-slimstat') . \"'>\u003C\u002Fi> \u003Ca class='slimstat-filter-link' href='\" . wp_slimstat_reports::fs_url('content_type equals ' . $results[$i]['content_type']) . sprintf(\"'>%s\u003C\u002Fa> \", $results[$i]['content_type']);\n+ $results[$i]['referer'] = (!empty($results[$i]['referer']) && empty($results[$i]['searchterms'])) ? \"\u003Ca class='spaced slimstat-font-login slimstat-tooltip-trigger' target='_blank' title='\" . htmlentities(__('Open this referrer in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . sprintf(\"' href='%s'>\u003C\u002Fa> %s\", esc_url($results[$i]['referer']), esc_html($domain)) : '';\n+ $results[$i]['content_type'] = empty($results[$i]['content_type']) ? '' : \"\u003Ci class='spaced slimstat-font-doc slimstat-tooltip-trigger' title='\" . __('Content Type', 'wp-slimstat') . \"'>\u003C\u002Fi> \u003Ca class='slimstat-filter-link' href='\" . wp_slimstat_reports::fs_url('content_type equals ' . $results[$i]['content_type']) . sprintf(\"'>%s\u003C\u002Fa> \", esc_html($results[$i]['content_type']));\n \n \u002F\u002F The Outbound Links field might contain more than one link\n if (!empty($results[$i]['outbound_resource'])) {\n if ('#' !== substr($results[$i]['outbound_resource'], 0, 1)) {\n- $results[$i]['outbound_resource'] = \"\u003Ca class='inline-icon spaced slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='\" . htmlentities(__('Open this outbound link in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . sprintf(\"' href='%s'>\u003C\u002Fa> %s\", $results[ $i ][ 'outbound_resource' ], $results[ $i ][ 'outbound_resource' ]);\n+ $results[$i]['outbound_resource'] = \"\u003Ca class='inline-icon spaced slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='\" . htmlentities(__('Open this outbound link in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . sprintf(\"' href='%s'>\u003C\u002Fa> %s\", esc_url($results[ $i ][ 'outbound_resource' ]), esc_html($results[ $i ][ 'outbound_resource' ]));\n } else {\n- $results[$i]['outbound_resource'] = \"\u003Ci class='inline-icon spaced slimstat-font-logout'>\u003C\u002Fi> \" . $results[ $i ][ 'outbound_resource' ];\n+ $results[$i]['outbound_resource'] = \"\u003Ci class='inline-icon spaced slimstat-font-logout'>\u003C\u002Fi> \" . esc_html($results[ $i ][ 'outbound_resource' ]);\n }\n } else {\n $results[$i]['outbound_resource'] = '';\n@@ -291,7 +292,7 @@\n continue;\n }\n \n- $login_logout .= \"\u003Ci class='slimstat-font-user-plus spaced slimstat-tooltip-trigger' title='\" . __('User Logged In', 'wp-slimstat') . \"'>\u003C\u002Fi> \" . str_replace('loggedin:', '', $a_note);\n+ $login_logout .= \"\u003Ci class='slimstat-font-user-plus spaced slimstat-tooltip-trigger' title='\" . __('User Logged In', 'wp-slimstat') . \"'>\u003C\u002Fi> \" . esc_html(str_replace('loggedin:', '', $a_note));\n }\n }\n \n@@ -302,7 +303,7 @@\n continue;\n }\n \n- $login_logout .= \"\u003Ci class='slimstat-font-user-times spaced slimstat-tooltip-trigger' title='\" . __('User Logged Out', 'wp-slimstat') . \"'>\u003C\u002Fi> \" . str_replace('loggedout:', '', $a_note);\n+ $login_logout .= \"\u003Ci class='slimstat-font-user-times spaced slimstat-tooltip-trigger' title='\" . __('User Logged Out', 'wp-slimstat') . \"'>\u003C\u002Fi> \" . esc_html(str_replace('loggedout:', '', $a_note));\n }\n }\n } else {\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.2\u002Fadmin\u002Fview\u002Fwp-slimstat-db.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Fwp-slimstat-db.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.2\u002Fadmin\u002Fview\u002Fwp-slimstat-db.php\t2025-09-09 12:32:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Fwp-slimstat-db.php\t2025-12-17 11:24:04.000000000 +0000\n@@ -145,7 +145,7 @@\n \n \u002F\u002F Fields and drop downs\n if (!empty($_POST['f']) && !empty($_POST['o'])) {\n- $filters_array[htmlspecialchars($_POST['f'])] = sprintf('%s %s ', $_POST[ 'f' ], $_POST[ 'o' ]) . ($_POST['v'] ?? '');\n+ $filters_array[sanitize_text_field($_POST['f'])] = sprintf('%s %s ', sanitize_text_field($_POST[ 'f' ]), sanitize_text_field($_POST[ 'o' ])) . (isset($_POST['v']) ? sanitize_text_field($_POST['v']) : '');\n }\n \n \u002F\u002F Filters set via the plugin options\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.2\u002Fadmin\u002Fview\u002Fwp-slimstat-reports.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Fwp-slimstat-reports.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.2\u002Fadmin\u002Fview\u002Fwp-slimstat-reports.php\t2025-08-25 08:38:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Fwp-slimstat-reports.php\t2025-12-17 11:24:04.000000000 +0000\n@@ -1237,6 +1237,10 @@\n $element_value = str_replace(['\u003C', '>'], ['<', '>'], urldecode($results[$i][$_args['columns']]));\n break;\n \n+ case 'outbound_resource':\n+ $element_value = esc_html($results[$i][$_args['columns']]);\n+ break;\n+\n case 'resource':\n $resource_title = self::get_resource_title($results[$i][$_args['columns']]);\n if ($resource_title != $results[$i][$_args['columns']]) {\n@@ -1793,11 +1797,11 @@\n parse_str($_referer, $query_parse_str);\n \n if (isset($query_parse_str['source']) && ([] !== $query_parse_str['source'] && ('' !== $query_parse_str['source'] && '0' !== $query_parse_str['source'])) && !$_serp_only) {\n- $query_details = __('src', 'wp-slimstat') . (': ' . $query_parse_str[ 'source' ]);\n+ $query_details = __('src', 'wp-slimstat') . (': ' . esc_html($query_parse_str[ 'source' ]));\n }\n \n if (isset($query_parse_str['cd']) && ('' !== $query_parse_str['cd'] && '0' !== $query_parse_str['cd'] && [] !== $query_parse_str['cd'])) {\n- $query_details = __('serp', 'wp-slimstat') . (': ' . $query_parse_str[ 'cd' ]);\n+ $query_details = __('serp', 'wp-slimstat') . (': ' . esc_html($query_parse_str[ 'cd' ]));\n }\n \n if ('' !== $query_details && '0' !== $query_details) {","The exploit targets the WordPress administrative dashboard where Slimstat reports are rendered. An attacker crafts a URL targeting a Slimstat report page (e.g., `wp-admin\u002Fadmin.php?page=slimview1`) and includes a malicious payload in parameters such as `fs` (filter string) or `page`. \n\n1. For the `fs` parameter, the attacker provides a string that does not match the expected filter format (e.g., `\u003Cscript>alert(1)\u003C\u002Fscript>`). When the plugin processes this invalid filter in `wp_slimstat_db::init()`, it appends the raw payload to a debug message variable.\n2. When the report page renders (specifically `right-now.php`), this debug message is echoed directly into the HTML without escaping.\n3. Alternatively, the `page` parameter itself is used to look up a title in an internal array and that title's reflection can be manipulated or the parameter itself can be used in sinks that lack sufficient escaping in `admin\u002Fview\u002Findex.php`.\n\nThe attacker must convince a logged-in administrator to click this malicious link to execute scripts in their browser session.","gemini-3-flash-preview","2026-05-04 23:20:56","2026-05-04 23:21:44",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags\u002F5.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-slimstat.5.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags\u002F5.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-slimstat.5.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags"]