5.4
CVE-2021-25042
- EPSS 0.17%
- Veröffentlicht 28.02.2022 09:15:08
- Zuletzt bearbeitet 06.03.2026 19:34:18
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginWP Visitor Statistics (Real Time Traffic) <= 5.4 - Missing Authorization to Stored Cross-Site Scripting
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin
Mögliche Gegenmaßnahme
WP Visitor Statistics (Real Time Traffic): Update to version 5.5, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP Visitor Statistics (Real Time Traffic)
Version
*-5.4
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Codepress ≫ Visitor Statistics SwEdition- SwPlatformwordpress Version < 5.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.17% | 0.387 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.