CVE-2025-14151
Stored XSS in SlimStat Analytics WordPress Plugin Allows Script Injection
Publication date: 2025-12-19
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp-slimstat | 5.3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the SlimStat Analytics plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue. It occurs via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to and including 5.3.2. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, which allows unauthenticated attackers to inject arbitrary web scripts. These scripts execute whenever a user accesses a page containing the injected code. [2]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary scripts in the context of users visiting the affected pages. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware. Since the attack is stored, the malicious script persists and affects every user who views the injected page, potentially compromising site visitors and administrators. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action of the SlimStat Analytics WordPress plugin. Detection can involve monitoring HTTP requests to the vulnerable AJAX endpoint for suspicious or malicious payloads in the 'outbound_resource' parameter. Additionally, reviewing recent visitor data and access logs within the SlimStat plugin's admin dashboard may help identify injected scripts or unusual activity. Since the plugin provides detailed visitor data including IP addresses, user agents, and pageviews, administrators can look for unexpected script tags or encoded payloads in these logs. Specific commands are not provided in the resources, but typical detection might include using web server logs or network monitoring tools (e.g., grep or curl) to search for suspicious parameters in requests to the AJAX endpoint related to slimtrack. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the SlimStat Analytics plugin to version 5.3.3 or later, as this version includes security hardening and fixes addressing CVE-2025-14151. The update improves input sanitization and output escaping to prevent Stored Cross-Site Scripting attacks. Until the update is applied, restrict access to the vulnerable AJAX endpoint if possible, monitor for suspicious activity, and consider disabling the plugin temporarily if exploitation risk is high. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not explicitly discuss the impact of CVE-2025-14151 on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthenticated attackers to inject arbitrary scripts that execute when users access affected pages, it could potentially lead to unauthorized access or exposure of personal data collected by the SlimStat Analytics plugin. This may indirectly affect compliance with data protection regulations that require safeguarding user data and preventing unauthorized data access or processing. No direct statements about compliance impact are available in the provided information. [1, 2]