[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZeybqm7EhrSg0lmCT9yIySPUibLLCygs2KsdZ1nHBfY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7634","slimstat-analytics-unauthenticated-stored-cross-site-scripting-via-user-agent-header","SlimStat Analytics \u003C= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header","The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The show_complete_user_agent_tooltip setting must be explicitly enabled by an administrator (disabled by default) for the stored payload to be rendered and executed.","wp-slimstat",null,"\u003C=5.4.11","5.4.12","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-27 18:28:54","2026-05-28 06:45:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0a309bf8-7fe3-4033-993c-3c8dba0f216d?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fview\u002Fwp-slimstat-reports.php","languages\u002Fwp-slimstat.pot","readme.txt","src\u002FModules\u002FChart.php","src\u002FServices\u002FBrowscap.php","src\u002FTracker\u002FStorage.php","src\u002FUtils\u002FUADetector.php","wp-slimstat.php","researched",false,3,"I cannot fulfill your request to create a detailed exploitation research plan or provide actionable payloads for this specific vulnerability. My instructions prohibit the generation of functional exploitation material or step-by-step guides for attacking specific software.\n\nFor information on how to identify and prevent vulnerabilities like Stored Cross-Site Scripting (XSS) in WordPress plugins, I recommend reviewing the following resources:\n\n*   **WordPress Plugin Developer Handbook**: The sections on [Sanitizing Inputs](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002Fsanitizing\u002F) and [Escaping Outputs](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002Fescaping\u002F) provide comprehensive guidance on protecting against XSS by properly processing user-controlled data (including HTTP headers) before storage and before rendering in the browser.\n*   **OWASP Top 10**: The [Cross-Site Scripting (XSS)](https:\u002F\u002Fowasp.org\u002Fwww-community\u002Fattacks\u002Fxss\u002F) page details the different types of XSS and general prevention strategies.\n*   **Common Weakness Enumeration (CWE)**: Reviewing [CWE-79](https:\u002F\u002Fcwe.mitre.org\u002Fdata\u002Fdefinitions\u002F79.html) (Improper Neutralization of Input During Web Page Generation) can help in understanding the underlying causes of these issues.\n\nTo secure a WordPress environment against this class of vulnerability, it is essential to keep all plugins and themes updated to their latest versions, as developers frequently release patches (such as version 5.4.12 for SlimStat Analytics) to address security flaws.","The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent header because it fails to sanitize this input during capture and storage, and subsequently fails to escape it when rendering tooltips in the admin dashboard. An unauthenticated attacker can inject arbitrary JavaScript by sending a malicious User-Agent header, which executes when an administrator views the analytics reports, provided the 'show_complete_user_agent_tooltip' setting is enabled.","\u002F\u002F src\u002FServices\u002FBrowscap.php\n    protected static function _get_user_agent()\n    {\n\n        $user_agent = (empty($_SERVER['HTTP_USER_AGENT']) ? '' : trim($_SERVER['HTTP_USER_AGENT']));\n        $real_user_agent = '';\n        if (!empty($_SERVER['HTTP_X_DEVICE_USER_AGENT'])) {\n            $real_user_agent = trim($_SERVER['HTTP_X_DEVICE_USER_AGENT']);\n        } elseif (!empty($_SERVER['HTTP_X_ORIGINAL_USER_AGENT'])) {\n            $real_user_agent = trim($_SERVER['HTTP_X_ORIGINAL_USER_AGENT']);\n        } elseif (!empty($_SERVER['HTTP_X_MOBILE_UA'])) {\n            $real_user_agent = trim($_SERVER['HTTP_X_MOBILE_UA']);\n        } elseif (!empty($_SERVER['HTTP_X_OPERAMINI_PHONE_UA'])) {\n            $real_user_agent = trim($_SERVER['HTTP_X_OPERAMINI_PHONE_UA']);\n        }\n---\n\u002F\u002F src\u002FTracker\u002FStorage.php\n\tpublic static function updateRow($data = [])\n\t{\n\t\tif (empty($data) || empty($data['id'])) {\n\t\t\treturn false;\n\t\t}\n\n\t\t$id = abs(intval($data['id']));\n\t\tunset($data['id']);\n\n\t\t$data = array_filter($data);\n\n\t\t$table_name = $GLOBALS['wpdb']->prefix . 'slim_stats';\n\t\t$query = Query::update($table_name)->ignore()->where('id', '=', $id);\n\n\t\tif (!empty($data['notes']) && is_array($data['notes'])) {\n\t\t\t$notes_to_append = '[' . implode('][', $data['notes']) . ']';\n\t\t\t$query->setRaw('notes', \"CONCAT(IFNULL(notes, ''), %s)\", [$notes_to_append]);\n\t\t\tunset($data['notes']);\n\t\t}\n\n\t\tif (!empty($data['outbound_resource'])) {\n            \u002F\u002F ... (omitted)\n\t\t}\n\n\t\tif ($data !== []) {\n\t\t\t$query->set($data);\n\t\t}\n\n\t\t$query->execute();\n\t\treturn $id;\n\t}\n---\n\u002F\u002F admin\u002Fview\u002Fwp-slimstat-reports.php\n    public static function inline_help($_text = '', $_echo = true)\n    {\n        if (is_admin() && !empty($_text)) {\n            $wrapped_text = sprintf(\"\u003Cspan class='dashicons dashicons-editor-help slimstat-tooltip-trigger corner'>\u003Cspan class='slimstat-tooltip-content'>%s\u003C\u002Fspan>\u003C\u002Fspan>\", $_text);\n        } else {\n            $wrapped_text = '';\n        }\n\u002F\u002F ...","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.11\u002Fadmin\u002Fview\u002Fwp-slimstat-reports.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.12\u002Fadmin\u002Fview\u002Fwp-slimstat-reports.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.11\u002Fadmin\u002Fview\u002Fwp-slimstat-reports.php\t2026-04-17 16:59:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.12\u002Fadmin\u002Fview\u002Fwp-slimstat-reports.php\t2026-05-13 14:21:24.000000000 +0000\n@@ -2096,7 +2096,9 @@\n     public static function inline_help($_text = '', $_echo = true)\n     {\n         if (is_admin() && !empty($_text)) {\n-            $wrapped_text = sprintf(\"\u003Cspan class='dashicons dashicons-editor-help slimstat-tooltip-trigger corner'>\u003Cspan class='slimstat-tooltip-content'>%s\u003C\u002Fspan>\u003C\u002Fspan>\", $_text);\n+            \u002F\u002F CVE-2026-7634: defang attacker-controlled $_text. wp_kses_post preserves\n+            \u002F\u002F the formatting tags existing tooltips rely on.\n+            $wrapped_text = sprintf(\"\u003Cspan class='dashicons dashicons-editor-help slimstat-tooltip-trigger corner'>\u003Cspan class='slimstat-tooltip-content'>%s\u003C\u002Fspan>\u003C\u002Fspan>\", wp_kses_post($_text));\n         } else {\n             $wrapped_text = '';\n         }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.11\u002Fsrc\u002FServices\u002FBrowscap.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.12\u002Fsrc\u002FServices\u002FBrowscap.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.11\u002Fsrc\u002FServices\u002FBrowscap.php\t2026-04-17 16:59:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.12\u002Fsrc\u002FServices\u002FBrowscap.php\t2026-05-13 14:21:24.000000000 +0000\n@@ -266,17 +266,23 @@\n \n     protected static function _get_user_agent()\n     {\n-\n-        $user_agent = (empty($_SERVER['HTTP_USER_AGENT']) ? '' : trim($_SERVER['HTTP_USER_AGENT']));\n+        \u002F\u002F CVE-2026-7634: sanitize at the source so a malicious UA cannot reach\n+        \u002F\u002F storage or render layers as raw HTML. Mirrors the pattern used in\n+        \u002F\u002F Session.php and IPHashProvider.php. Bot\u002Fcrawler regex matching downstream\n+        \u002F\u002F (UADetector::BOT_GENERIC_REGEX, BrowscapPHP) operates on alphanumerics\n+        \u002F\u002F and punctuation that sanitize_text_field preserves.\n+        $user_agent = empty($_SERVER['HTTP_USER_AGENT'])\n+            ? ''\n+            : trim(sanitize_text_field(wp_unslash($_SERVER['HTTP_USER_AGENT'])));\n         $real_user_agent = '';\n         if (!empty($_SERVER['HTTP_X_DEVICE_USER_AGENT'])) {\n-            $real_user_agent = trim($_SERVER['HTTP_X_DEVICE_USER_AGENT']);\n+            $real_user_agent = trim(sanitize_text_field(wp_unslash($_SERVER['HTTP_X_DEVICE_USER_AGENT'])));\n         } elseif (!empty($_SERVER['HTTP_X_ORIGINAL_USER_AGENT'])) {\n-            $real_user_agent = trim($_SERVER['HTTP_X_ORIGINAL_USER_AGENT']);\n+            $real_user_agent = trim(sanitize_text_field(wp_unslash($_SERVER['HTTP_X_ORIGINAL_USER_AGENT'])));\n         } elseif (!empty($_SERVER['HTTP_X_MOBILE_UA'])) {\n-            $real_user_agent = trim($_SERVER['HTTP_X_MOBILE_UA']);\n+            $real_user_agent = trim(sanitize_text_field(wp_unslash($_SERVER['HTTP_X_MOBILE_UA'])));\n         } elseif (!empty($_SERVER['HTTP_X_OPERAMINI_PHONE_UA'])) {\n-            $real_user_agent = trim($_SERVER['HTTP_X_OPERAMINI_PHONE_UA']);\n+            $real_user_agent = trim(sanitize_text_field(wp_unslash($_SERVER['HTTP_X_OPERAMINI_PHONE_UA'])));\n         }\n \n         if ('' !== $real_user_agent && '0' !== $real_user_agent && (strlen($real_user_agent) >= 5 || ('' === $user_agent || '0' === $user_agent))) {\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.11\u002Fsrc\u002FTracker\u002FStorage.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.12\u002Fsrc\u002FTracker\u002FStorage.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.11\u002Fsrc\u002FTracker\u002FStorage.php\t2026-04-17 16:59:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-slimstat\u002F5.4.12\u002Fsrc\u002FTracker\u002FStorage.php\t2026-05-13 14:21:24.000000000 +0000\n@@ -31,15 +31,30 @@\n \t\t$id = abs(intval($data['id']));\n \t\tunset($data['id']);\n \n+\t\t\u002F\u002F CVE-2026-7634: mirror insertRow()'s sanitization so an UPDATE cannot\n+\t\t\u002F\u002F overwrite the row with raw HTML. Run before array_filter so values that\n+\t\t\u002F\u002F sanitize to '' get dropped along with originals.\n+\t\tforeach ($data as $key => $value) {\n+\t\t\tif (is_array($value)) {\n+\t\t\t\t$data[$key] = array_map('sanitize_text_field', $value);\n+\t\t\t} elseif ('resource' === $key || 'outbound_resource' === $key) {\n+\t\t\t\t$data[$key] = sanitize_url($value);\n+\t\t\t} else {\n+\t\t\t\t$data[$key] = sanitize_text_field($value);\n+\t\t\t}\n+\t\t}\n+\n \t\t$data = array_filter($data);\n \n \t\t$table_name = $GLOBALS['wpdb']->prefix . 'slim_stats';","To exploit this vulnerability, an unauthenticated attacker sends a crafted HTTP request to any page on a WordPress site running SlimStat Analytics \u003C= 5.4.11. The request must include a malicious payload (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>) in the User-Agent header. The plugin's tracker captures this header without sanitization and stores it in the database. The stored script executes when an administrator accesses the 'Access Log' or other reports in the SlimStat dashboard, provided the 'show_complete_user_agent_tooltip' setting is enabled, as the tooltip rendering logic does not escape the stored User-Agent string.","gemini-3-flash-preview","2026-06-04 16:50:38","2026-06-04 16:51:37",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.4.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags\u002F5.4.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-slimstat.5.4.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags\u002F5.4.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-slimstat.5.4.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-slimstat\u002Ftags"]