CVE-2019–10864: Wp-Statistics Stored XSS
Manuel Fernández-Aramburu and Melchor Vázquez from
Innotec Security (https://innotec.security)
Introduction
Have you ever started auditing a WordPress website? If the answer is yes, for sure you will understand what this post is about. When you start looking through the WordPress site, there is not much to do, especially if the site updated to the latest version and you don’t have any users to log-in with. It can be quite frustrating as your chances to get access seem almost gone.
It happened to us a few weeks ago, we had to audit several WordPress sites for a client of Innotec Security. All the sites had similar configurations, updated to the latest versions (5.1.1 at that moment) with not many plugins, that also were up-to-date. Furthermore, the access to the wp-login was protected by .htaccess, restricted by IP whitelist.
Because of that, I started reviewing the plugins that were installed, and there was a common plugin installed in almost all of them, Wp-Statistics, with version 12.6.2. The good thing of WordPress and most of the plugins, is that they are open source, and therefore many times you can find the code on places like GitHub.
After spending a whole day examining the plugin, I found a rather interesting stored XSS in it.
