VDB
CVE-2024-2194
CVE-2024-2194
PUBLISHED
CVSS 7.199999809265137 HIGH
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
EPSS 27.80% · 96.5th percentile
Risk Scores
CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score
27.80%
96.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| veronalabs | WP Statistics – Simple, privacy-friendly Google Analytics alternative | 0 |
| mostafas1990 | WP Statistics | * |
Exploit Intelligence
- Active exploitation of unauthenticated stored XSS vulnerabilities in WordPress Plugins (circl)
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e44e4bdd-d84e-4315-9232-48a3b240242d?source=cve (circl)
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3047756%40wp-statistics&new=3047756%40wp-statistics&sfp_email=&sfph_mail= (circl)
Timeline
- Mar 13, 2024 CVE Published
- Mar 14, 2024 EPSS Score
- May 5, 2024 EPSS Score
- May 31, 2024 EPSS Score
- Jul 22, 2024 EPSS Score
- Aug 21, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 12, 2024 EPSS Score
- Dec 4, 2024 EPSS Score
- Dec 30, 2024 EPSS Score
- Feb 20, 2025 EPSS Score
- Mar 18, 2025 EPSS Score
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e44e4bdd-d84e-4315-9232-48a3b240242d?source=cve url
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3047756%40wp-statistics&new=3047756%40wp-statistics&sfp_email=&sfph_mail= url
- https://nvd.nist.gov/vuln/detail/CVE-2024-2194 advisory
- Active exploitation of unauthenticated stored XSS vulnerabilities in WordPress Plugins third-party-analysis