CVE-2025-15055
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | wp_slimstat | to 5.3.4 (inc) |
| unknown_vendor | wp_slimstat | 5.3.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the SlimStat Analytics WordPress plugin (versions up to and including 5.3.4). It occurs because the plugin does not properly sanitize or escape input from the 'notes' and 'resource' parameters. As a result, an unauthenticated attacker can inject malicious scripts that will execute whenever an administrator views the Recent Custom Events report in the plugin's admin interface. [2]
How can this vulnerability impact me? :
The vulnerability allows attackers to execute arbitrary scripts in the context of the administrator's browser when they view the affected report. This can lead to theft of administrator credentials, session hijacking, unauthorized actions performed with admin privileges, or other malicious activities that compromise the security and integrity of the WordPress site. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running the SlimStat Analytics plugin version 5.3.4 or earlier, as these versions are vulnerable. Since the vulnerability is a Stored Cross-Site Scripting via the 'notes' and 'resource' parameters, one can look for suspicious script tags or payloads in these parameters within the plugin's data storage or admin reports. There are no specific commands provided in the resources to detect this vulnerability on a network or system. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the SlimStat Analytics plugin to version 5.3.5 or later, where the vulnerability has been fixed by implementing comprehensive output sanitization and escaping. This update includes escaping output data, safe URL handling, HTML entities encoding, and user data sanitization to prevent cross-site scripting attacks. Ensuring the plugin runs on PHP 7.4 or higher and WordPress 6.8 or later is also recommended. [2]