[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzKUpfOk5VywhMsPTPJTB8W7UMgrqk2CkhyA6DtO2L8U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2025-15057","slimstat-analytics-unauthenticated-stored-cross-site-scripting-via-fh-parameter","SlimStat Analytics \u003C= 5.3.3 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter","The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report.","wp-slimstat",null,"\u003C=5.3.3","5.3.4","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-08 18:00:57","2026-01-09 06:34:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F90920df9-1362-466b-b14b-4714087f556b?source=api-prod",1,[22,23,24,25,26],"CHANGELOG.md","admin\u002Fview\u002Fright-now.php","languages\u002Fwp-slimstat.pot","readme.txt","wp-slimstat.php","researched",false,3,"# Exploitation Research Plan - CVE-2025-15057\n\n## 1. Vulnerability Summary\nThe **SlimStat Analytics** plugin (\u003C= 5.3.3) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape the `fh` (fingerprint) parameter collected during visitor tracking requests. This malicious payload is stored in the database and subsequently executed in the browser of an administrator when they view the **Real-time Access Log** report.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API or `admin-ajax.php` tracking endpoint.\n    *   REST Route: `\u002Fwp-json\u002Fwp-slimstat\u002Fv1\u002Ftrack` (Primary in version 5.3.x).\n    *   AJAX Action: `slimstat_track` (Fallback\u002FAlternative).\n*   **Vulnerable Parameter:** `fh` (Fingerprint Hash).\n*   **Authentication:** None required (Unauthenticated). Tracking is designed to capture data from all site visitors.\n*   **Preconditions:** The plugin must have tracking enabled (default state).\n\n## 3. Code Flow\n1.  **Entry Point (Tracking):** The plugin registers a REST route in `wp_slimstat::init()` via `\\SlimStat\\Providers\\RESTService::run()`.\n2.  **Data Acquisition:** When a tracking request is sent (e.g., via the browser-side script `wp-slimstat.js`), the server-side logic (likely in `src\u002FProviders\u002FRESTService.php` or `wp_slimstat::slimtrack_ajax()`) extracts parameters from the request.\n3.  **Storage:** The `fh` value is extracted and passed to a database insertion method, likely `wp_slimstat_db::insert()`. The source code for `wp_slimstat_db` is not fully provided, but based on the vulnerability description, this value is stored without sanitization.\n4.  **Sink (Rendering):** An administrator accesses the dashboard at `\u002Fwp-admin\u002Fadmin.php?page=slimview1`.\n5.  **Execution:** The file `admin\u002Fview\u002Fright-now.php` calls `wp_slimstat_db::get_recent()`. It iterates through the results and renders the visit details. The fingerprint (`fh`) is typically displayed in a tooltip or a specific column (e.g., as a unique identifier for the visitor). Because `admin\u002Fview\u002Fright-now.php` fails to use `esc_html()` or `esc_attr()` on this value, the stored script executes.\n\n## 4. Nonce Acquisition Strategy\nTracking requests in SlimStat usually require a nonce to prevent spam, even for unauthenticated users. This nonce is typically localized in the frontend.\n\n1.  **Identify Script Localization:** The plugin enqueues the tracker in `wp_slimstat::enqueue_tracker`.\n2.  **Shortcode:** The tracking script is usually loaded on any page where tracking is active. By default, this is the entire frontend.\n3.  **Extraction:**\n    *   **Action:** Create a dummy post\u002Fpage to ensure the script triggers.\n    *   **Command:** `wp post create --post_type=page --post_status=publish --post_title=\"Tracking Test\" --post_content=\"Tracking Page\"`\n    *   **Navigation:** Use `browser_navigate` to the URL of the new page.\n    *   **JS Variable:** SlimStat localizes its configuration in a variable named `SlimStatParams` (inferred from common plugin patterns) or similar.\n    *   **Verification:** Use `browser_eval(\"window.SlimStatParams\")` to find the exact key. Based on typical SlimStat versions, the key is `extensions.nonce` or simply `nonce`.\n\n## 5. Exploitation Strategy\nThe goal is to send a malicious `fh` value that stores a script to exfiltrate the administrator's cookies or create a new admin user.\n\n### Step-by-Step Plan:\n1.  **Identify Tracking Endpoint:**\n    Verify if the site uses the REST API (preferred in 5.3.x) or AJAX.\n2.  **Extract Nonce:**\n    Navigate to the homepage and use `browser_eval` to extract the nonce from the `SlimStatParams` object.\n    *Example:* `browser_eval(\"SlimStatParams.nonce\")`.\n3.  **Send Malicious Tracking Request:**\n    Perform a POST request to the REST API endpoint.\n    *   **URL:** `\u002Fwp-json\u002Fwp-slimstat\u002Fv1\u002Ftrack`\n    *   **Method:** POST\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded` or `application\u002Fjson`.\n    *   **Parameters:**\n        *   `fh`: `\u003Cscript>alert('CVE-2025-15057_XSS')\u003C\u002Fscript>`\n        *   `ref`: `http:\u002F\u002Fexample.com\u002F` (Base64 encoded if required by the plugin: `aHR0cDovL2V4YW1wbGUuY29tLw==`)\n        *   `res`: `1920x1080`\n        *   `_wpnonce`: `[EXTRACTED_NONCE]`\n\n### Example HTTP Request (via `http_request`):\n```json\n{\n  \"method\": \"POST\",\n  \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwp-slimstat\u002Fv1\u002Ftrack\",\n  \"headers\": {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  \"body\": \"fh=%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E&_wpnonce=[NONCE_VALUE]&url=http%3A%2F%2Flocalhost%3A8080%2F\"\n}\n```\n\n## 6. Test Data Setup\n1.  **Plugin Status:** Ensure `wp-slimstat` is active and version \u003C= 5.3.3.\n2.  **Tracking Settings:** Ensure \"Enable Tracking\" is 'on' (default).\n3.  **Administrator User:** Have an active admin user (standard in PoC environments).\n4.  **Target Page:** No specific shortcode is needed as SlimStat typically tracks all pages, but creating a public page ensures the tracker script and nonce are available.\n\n## 7. Expected Results\n1.  The tracking request returns a `200 OK` or `204 No Content` response.\n2.  The database (table `wp_slim_stats`) now contains a record where the `fingerprint` column holds the `\u003Cscript>` payload.\n3.  When an admin navigates to `\u002Fwp-admin\u002Fadmin.php?page=slimview1`, a JavaScript alert box appearing with the site's domain.\n\n## 8. Verification Steps\n1.  **Database Check:**\n    Use WP-CLI to verify the payload is stored:\n    `wp db query \"SELECT fingerprint FROM wp_slim_stats ORDER BY st_id DESC LIMIT 1;\"`\n2.  **Admin UI Check:**\n    Use `browser_navigate` as an administrator to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=slimview1`.\n    Check for the presence of the alert or inspect the page source for the unescaped payload.\n\n## 9. Alternative Approaches\n*   **Encoding:** If the payload is blocked by simple string matching, try encoding the `fh` parameter or using an `\u003Cimg>` tag with `onerror`.\n*   **AJAX Fallback:** If the REST API is disabled, use the `admin-ajax.php` endpoint:\n    *   **Action:** `slimstat_track`\n    *   **Body:** `action=slimstat_track&fh=\u003Cscript>...\u003C\u002Fscript>&_wpnonce=[NONCE]`\n*   **Referer\u002FURL Parameters:** Some versions of SlimStat also exhibit XSS in the `ref` (referer) or `url` parameters if they are not correctly handled in the \"Recent Referers\" or \"Top Pages\" reports. These can be tested if `fh` fails.","The SlimStat Analytics plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting via the 'fh' (fingerprint) parameter. Malicious scripts injected into this parameter during tracking requests are stored in the database and executed when an administrator views the Real-time Access Log report.","\u002F\u002F wp-slimstat.php (Line 144) - Tracking data intake\npublic static function slimtrack_ajax()\n{\n    \u002F\u002F ... \n    self::$data_js = apply_filters('slimstat_filter_pageview_data_js', self::$raw_post_array);\n    $site_host     = parse_url(get_site_url(), PHP_URL_HOST);\n\n    self::$stat['referer'] = '';\n    if (!empty(self::$data_js['ref'])) {\n        self::$stat['referer'] = self::_base64_url_decode(self::$data_js['ref']);\n\n---\n\n\u002F\u002F admin\u002Fview\u002Fright-now.php (Line 40) - Report data retrieval and loop\nwp_slimstat_db::$debug_message = '';\n$all_results                   = wp_slimstat_db::get_recent(wp_slimstat_reports::$reports['slim_p7_02']['callback_args']);\n\n\u002F\u002F ... \n\n\u002F\u002F Loop through the results for display\nfor ($i = 0; $i \u003C $count_page_results; $i++) {\n    $date_time = \"\u003Ci class='spaced slimstat-font-clock slimstat-tooltip-trigger' title='\" . __('Date and Time', 'wp-slimstat') . \"'>\u003C\u002Fi> \" . date_i18n(get_option('date_format') . ' ' . get_option('time_format'), $results[$i]['dt'], true);\n\n    \u002F\u002F ... (rendering logic follows)","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Fright-now.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.4\u002Fadmin\u002Fview\u002Fright-now.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.3\u002Fadmin\u002Fview\u002Fright-now.php\t2025-12-17 11:24:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.3.4\u002Fadmin\u002Fview\u002Fright-now.php\t2025-12-28 06:28:40.000000000 +0000\n@@ -205,7 +205,7 @@\n         }\n \n         $results[$i]['resource'] = rawurldecode($results[$i]['resource']);\n-        $results[$i]['resource'] = \"\u003Ca class='slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='\" . htmlentities(__('Open this URL in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . \"' href='\" . htmlentities($results[$i]['resource'], ENT_QUOTES, 'UTF-8') . \"'>\u003C\u002Fa> \u003Ca class='slimstat-filter-link' href='\" . wp_slimstat_reports::fs_url('resource equals ' . esc_url($results[$i]['resource'])) . \"'>\" . esc_html($resource_title) . '\u003C\u002Fa>';\n+        $results[$i]['resource'] = \"\u003Ca class='slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='\" . esc_attr(__('Open this URL in a new window', 'wp-slimstat')) . \"' href='\" . esc_url($results[$i]['resource']) . \"'>\u003C\u002Fa> \u003Ca class='slimstat-filter-link' href='\" . wp_slimstat_reports::fs_url('resource equals ' . $results[$i]['resource']) . \"'>\" . esc_html($resource_title) . '\u003C\u002Fa>';","The exploit is achieved by sending a malicious tracking request as an unauthenticated visitor. \n\n1. First, an attacker retrieves the tracking nonce by visiting the site's frontend and extracting the `extensions.nonce` value from the global `SlimStatParams` JavaScript object.\n2. The attacker then constructs a POST request to the REST API tracking endpoint (`\u002Fwp-json\u002Fwp-slimstat\u002Fv1\u002Ftrack`) or the AJAX endpoint (`admin-ajax.php?action=slimstat_track`). \n3. The payload is placed in the `fh` (fingerprint) parameter, for example: `fh=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`. \n4. When an administrator later logs in and navigates to the 'Access Log' or 'Real-time' report page within the WordPress dashboard, the stored script executes in their browser session, potentially allowing for cookie theft or administrative account takeover.","gemini-3-flash-preview","2026-05-05 13:41:16","2026-05-05 13:41:42",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","5.3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags\u002F5.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-slimstat.5.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags\u002F5.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-slimstat.5.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags"]