CVE-2025-14151

SlimStat Analytics <= 5.3.2 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
5.3.3
Patched in
18d
Time to patch

Description

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.3.2
PublishedDecember 18, 2025
Last updatedJanuary 5, 2026
Affected pluginwp-slimstat

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-14151 (SlimStat Analytics) ## 1. Vulnerability Summary The **SlimStat Analytics** plugin (<= 5.3.2) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the `slimtrack` AJAX action, which handles tracking requ…

Show full research plan

Exploitation Research Plan: CVE-2025-14151 (SlimStat Analytics)

1. Vulnerability Summary

The SlimStat Analytics plugin (<= 5.3.2) is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS). The vulnerability exists within the slimtrack AJAX action, which handles tracking requests for various events, including outbound link clicks. The outbound_resource parameter is accepted from the user and stored in the plugin's tracking tables without sufficient sanitization. When an administrative user views the SlimStat reports (specifically the "Outbound Links" or "Recent Screen Views" reports), the malicious script is executed in their browser context.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: slimtrack (registered for both authenticated and unauthenticated users)
  • Vulnerable Parameter: outbound_resource
  • Authentication Required: None (Unauthenticated)
  • Preconditions: The plugin must be active and tracking must be enabled (default state).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers the AJAX handler in its main initialization:
    • add_action( 'wp_ajax_slimtrack', array( 'wp_slimstat', 'slimtrack' ) );
    • add_action( 'wp_ajax_nopriv_slimtrack', array( 'wp_slimstat', 'slimtrack' ) );
  2. Processing: The slimtrack() function (likely in admin/class-wp-slimstat.php or wp-slimstat.php) retrieves the outbound_resource parameter from $_POST or $_GET.
  3. Storage: The raw or insufficiently sanitized value is passed to a database insertion method, saving the "resource" into the wp_slimstat (or similar) table.
  4. Sink: When an administrator navigates to SlimStat > Reports > External Links, the plugin fetches these records and echoes them into the HTML table without using esc_html() or esc_attr().

4. Nonce Acquisition Strategy

SlimStat Analytics uses a nonce for its tracking requests to prevent spam/automated hits. This nonce is typically localized into the frontend.

  • Identify Script: The tracking script is usually enqueued on all public pages.
  • Shortcode/Setup: No specific shortcode is needed as the plugin tracks all pages by default.
  • Localization Key: Based on standard SlimStat deployment, the JavaScript object is SlimStatParams.
  • Extraction Steps:
    1. Navigate to the WordPress homepage using browser_navigate.
    2. Use browser_eval to extract the nonce:
      window.SlimStatParams?.ajax_nonce
      
    3. If SlimStatParams is missing, check for SlimStatData or similar variations.

5. Exploitation Strategy

Step 1: Extract Nonce

Use the browser to grab the required nonce for the slimtrack action.

Step 2: Submit Malicious Tracking Request

Construct a POST request to the AJAX endpoint.

  • URL: http://[target]/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: slimtrack
    • _spn: [extracted_nonce] (The nonce parameter name is typically _spn or nonce)
    • outbound_resource: <script>alert(document.domain)</script>
    • type: 2 (Often used to denote an outbound link/click event)

Step 3: Trigger Execution

Log in as an Administrator and navigate to the SlimStat dashboard:

  • URL: http://[target]/wp-admin/admin.php?page=wp-slimstat-reports-outbound (or the "Recent Activity" screen).

6. Test Data Setup

  1. Install Plugin: Ensure SlimStat Analytics v5.3.2 or earlier is installed and activated.
  2. Settings: Ensure "Track Outbound Links" is enabled in SlimStat settings (usually enabled by default).
  3. Public Page: Ensure at least one public post exists so the tracking script is enqueued.

7. Expected Results

  • The http_request for the slimtrack action should return a 200 OK response, potentially with a small integer (like 1) or a JSON success message.
  • Upon an admin visiting the reports page, an alert box showing the domain name should appear, confirming JavaScript execution in the admin context.

8. Verification Steps

After performing the exploit, verify the storage via WP-CLI to confirm the payload exists in the database:

# Check the slimstat table for the payload
wp db query "SELECT resource FROM wp_slimstat WHERE resource LIKE '%<script>%';"

(Note: Table names might vary depending on prefix; use wp db tables to confirm).

9. Alternative Approaches

  • Parameter Variation: If outbound_resource is partially filtered, try the resource parameter or content_type if they are handled by the same tracking logic.
  • Protocol Bypass: If <script> is blocked, try an attribute-based XSS:
    • outbound_resource: https://example.com" onmouseover="alert(1)
  • DOM XSS Path: Check if the payload is reflected in the "Real-time" dashboard which might use JavaScript to render the incoming data (look for .innerHTML sinks in the plugin's admin JS files).
Research Findings
Static analysis — not yet PoC-verified

Summary

The SlimStat Analytics plugin for WordPress (versions 5.3.2 and earlier) is vulnerable to unauthenticated Stored Cross-Site Scripting via the 'outbound_resource' parameter in the 'slimtrack' AJAX action. Because user-supplied tracking data is stored without sanitization and subsequently rendered in admin reports without escaping, an attacker can execute arbitrary JavaScript in the context of an administrator's session.

Exploit Outline

1. Nonce Extraction: Navigate to the WordPress site's frontend and extract the required AJAX nonce from the localized JavaScript variables (typically found in the 'SlimStatParams.ajax_nonce' object). 2. Malicious Request: Send an unauthenticated POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'slimtrack', the extracted nonce, and a JavaScript payload (e.g., <script>alert(1)</script>) in the 'outbound_resource' parameter. 3. Data Storage: The plugin processes the request and saves the malicious 'resource' value into its tracking tables in the database. 4. Admin Execution: The XSS payload triggers when an administrator views the SlimStat reports, such as the 'External Links' or 'Recent Screen Views' pages, where the unsanitized resource data is reflected in the HTML.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.