SlimStat Analytics <= 5.3.2 - Unauthenticated Stored Cross-Site Scripting
Description
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=5.3.2Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-14151 (SlimStat Analytics) ## 1. Vulnerability Summary The **SlimStat Analytics** plugin (<= 5.3.2) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the `slimtrack` AJAX action, which handles tracking requ…
Show full research plan
Exploitation Research Plan: CVE-2025-14151 (SlimStat Analytics)
1. Vulnerability Summary
The SlimStat Analytics plugin (<= 5.3.2) is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS). The vulnerability exists within the slimtrack AJAX action, which handles tracking requests for various events, including outbound link clicks. The outbound_resource parameter is accepted from the user and stored in the plugin's tracking tables without sufficient sanitization. When an administrative user views the SlimStat reports (specifically the "Outbound Links" or "Recent Screen Views" reports), the malicious script is executed in their browser context.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
slimtrack(registered for both authenticated and unauthenticated users) - Vulnerable Parameter:
outbound_resource - Authentication Required: None (Unauthenticated)
- Preconditions: The plugin must be active and tracking must be enabled (default state).
3. Code Flow (Inferred)
- Entry Point: The plugin registers the AJAX handler in its main initialization:
add_action( 'wp_ajax_slimtrack', array( 'wp_slimstat', 'slimtrack' ) );add_action( 'wp_ajax_nopriv_slimtrack', array( 'wp_slimstat', 'slimtrack' ) );
- Processing: The
slimtrack()function (likely inadmin/class-wp-slimstat.phporwp-slimstat.php) retrieves theoutbound_resourceparameter from$_POSTor$_GET. - Storage: The raw or insufficiently sanitized value is passed to a database insertion method, saving the "resource" into the
wp_slimstat(or similar) table. - Sink: When an administrator navigates to SlimStat > Reports > External Links, the plugin fetches these records and echoes them into the HTML table without using
esc_html()oresc_attr().
4. Nonce Acquisition Strategy
SlimStat Analytics uses a nonce for its tracking requests to prevent spam/automated hits. This nonce is typically localized into the frontend.
- Identify Script: The tracking script is usually enqueued on all public pages.
- Shortcode/Setup: No specific shortcode is needed as the plugin tracks all pages by default.
- Localization Key: Based on standard SlimStat deployment, the JavaScript object is
SlimStatParams. - Extraction Steps:
- Navigate to the WordPress homepage using
browser_navigate. - Use
browser_evalto extract the nonce:window.SlimStatParams?.ajax_nonce - If
SlimStatParamsis missing, check forSlimStatDataor similar variations.
- Navigate to the WordPress homepage using
5. Exploitation Strategy
Step 1: Extract Nonce
Use the browser to grab the required nonce for the slimtrack action.
Step 2: Submit Malicious Tracking Request
Construct a POST request to the AJAX endpoint.
- URL:
http://[target]/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body Parameters:
action:slimtrack_spn:[extracted_nonce](The nonce parameter name is typically_spnornonce)outbound_resource:<script>alert(document.domain)</script>type:2(Often used to denote an outbound link/click event)
Step 3: Trigger Execution
Log in as an Administrator and navigate to the SlimStat dashboard:
- URL:
http://[target]/wp-admin/admin.php?page=wp-slimstat-reports-outbound(or the "Recent Activity" screen).
6. Test Data Setup
- Install Plugin: Ensure SlimStat Analytics v5.3.2 or earlier is installed and activated.
- Settings: Ensure "Track Outbound Links" is enabled in SlimStat settings (usually enabled by default).
- Public Page: Ensure at least one public post exists so the tracking script is enqueued.
7. Expected Results
- The
http_requestfor theslimtrackaction should return a200 OKresponse, potentially with a small integer (like1) or a JSON success message. - Upon an admin visiting the reports page, an alert box showing the domain name should appear, confirming JavaScript execution in the admin context.
8. Verification Steps
After performing the exploit, verify the storage via WP-CLI to confirm the payload exists in the database:
# Check the slimstat table for the payload
wp db query "SELECT resource FROM wp_slimstat WHERE resource LIKE '%<script>%';"
(Note: Table names might vary depending on prefix; use wp db tables to confirm).
9. Alternative Approaches
- Parameter Variation: If
outbound_resourceis partially filtered, try theresourceparameter orcontent_typeif they are handled by the same tracking logic. - Protocol Bypass: If
<script>is blocked, try an attribute-based XSS:outbound_resource:https://example.com" onmouseover="alert(1)
- DOM XSS Path: Check if the payload is reflected in the "Real-time" dashboard which might use JavaScript to render the incoming data (look for
.innerHTMLsinks in the plugin's admin JS files).
Summary
The SlimStat Analytics plugin for WordPress (versions 5.3.2 and earlier) is vulnerable to unauthenticated Stored Cross-Site Scripting via the 'outbound_resource' parameter in the 'slimtrack' AJAX action. Because user-supplied tracking data is stored without sanitization and subsequently rendered in admin reports without escaping, an attacker can execute arbitrary JavaScript in the context of an administrator's session.
Exploit Outline
1. Nonce Extraction: Navigate to the WordPress site's frontend and extract the required AJAX nonce from the localized JavaScript variables (typically found in the 'SlimStatParams.ajax_nonce' object). 2. Malicious Request: Send an unauthenticated POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'slimtrack', the extracted nonce, and a JavaScript payload (e.g., <script>alert(1)</script>) in the 'outbound_resource' parameter. 3. Data Storage: The plugin processes the request and saves the malicious 'resource' value into its tracking tables in the database. 4. Admin Execution: The XSS payload triggers when an administrator views the SlimStat reports, such as the 'External Links' or 'Recent Screen Views' pages, where the unsanitized resource data is reflected in the HTML.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.