wp-plugin : zdstats – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : zdstats


Effected Version : 2.0.1 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :



Vulnerable Parameter¬†:¬†‘lang’


Disclosure Timeline


Vendor Contacted : 2014-01-17

Plugin Status : Updated
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4605

Plugin Description :
ZdStatistics is a wordpress plugin allowing you to trace your visitors. This is not a simple statistics plugin, it is very flexible and dynamic. This means you can update your filters by yourself and therefore by as realistic as possible.

Here is a lsit of functions :

* Display a summary of visits (week, month, trimester, semester and year)
* Display Pageviews and visitors with daily precision
* Referring pages
* Used keywords
* Localization of your visitors
* Browser / OS
* Outgoing links

The statistics are collected and instantly processed, or not, as you can decide this using an option. You can also separate feeds from real pageviews, exclude some IPs from being collected (@home, @work, @school, etc...) and choose to collect robots pageviews or not.

Leave a Reply

Your email address will not be published. Required fields are marked *