Headline
CVE-2023-4598: Changeset 2959452 for wp-slimstat – WordPress Plugin Repository
The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Timestamp:
08/28/2023 03:11:31 PM (8 weeks ago)
mostafa.s1990
Message:
Update to version 5.0.10 from GitHub
Location:
wp-slimstat
Files:
- tags/5.0.10 (copied from wp-slimstat/trunk)
- tags/5.0.10/admin/view/right-now.php (2 diffs)
- tags/5.0.10/admin/view/wp-slimstat-db.php (1 diff)
- tags/5.0.10/readme.txt (2 diffs)
- tags/5.0.10/wp-slimstat.php (5 diffs)
- trunk/admin/view/right-now.php (2 diffs)
- trunk/admin/view/wp-slimstat-db.php (1 diff)
- trunk/readme.txt (2 diffs)
- trunk/wp-slimstat.php (5 diffs)
Legend:
Unmodified
Added
Removed
wp-slimstat/tags/5.0.10/admin/view/right-now.php
r2939166
r2959452
34
34
}
35
35
36
$results \= array\_slice(
36
$results \= array\_slice(
37
37
$all\_results,
38
38
wp\_slimstat\_db::$filters\_normalized\['misc'\]\['start\_from'\],
…
…
82
82
// Print visit header?
83
83
if ($i == 0 || $results\[$i - 1\]\['visit\_id'\] != $results\[$i\]\['visit\_id'\] || $results\[$i - 1\]\['ip'\] != $results\[$i\]\['ip'\] || $results\[$i - 1\]\['browser'\] != $results\[$i\]\['browser'\] || $results\[$i - 1\]\['platform'\] != $results\[$i\]\['platform'\] || $results\[$i - 1\]\['username'\] != $results\[$i\]\['username'\]) {
84
85
// Skip error responses
86
if (empty($results\[$i\]\['referer'\])) {
87
continue;
88
}
84
89
85
90
// Color-coded headers
wp-slimstat/tags/5.0.10/admin/view/wp-slimstat-db.php
r2945907
r2959452
820
820
ORDER BY counthits DESC
821
821
LIMIT 0, %d", self::$filters\_normalized\['misc'\]\['limit\_results'\]);
822
return self::get\_results($sql, $\_args\['group\_by'\],$\_args\['group\_by'\] . ' ASC');
822
return self::get\_results($sql, $\_args\['group\_by'\], $\_args\['group\_by'\] . ' ASC');
823
823
}
824
824
wp-slimstat/tags/5.0.10/readme.txt
r2958208
r2959452
6
6
Requires PHP: 7.4+
7
7
Tested up to: 6.3
8
Stable tag: 5.0.9
8
Stable tag: 5.0.10
9
9
10
10
\== Description ==
…
…
49
49
50
50
\== Changelog ==
51
\= 5.0.10 =
52
\* \[Fix\] Skip Error Responses: Handling Empty Referer in Results Array
53
\* \[Fix\] Escape shortcode attributes
54
\* \[Fix\] Skip to accept the invalid argus in shortcode
55
\* \[Fix\] Minor improvements & Hardened plugin security
56
51
57
\= 5.0.9 =
52
58
\* \[Fix\] Hardened plugin security and sanitization of GeoIP argument
wp-slimstat/tags/5.0.10/wp-slimstat.php
r2958208
r2959452
4
4
Plugin URI: https://wp-slimstat.com/
5
5
Description: The leading web analytics plugin for WordPress
6
Version: 5.0.9
6
Version: 5.0.10
7
7
Author: Jason Crouse, VeronaLabs
8
8
Text Domain: wp-slimstat
…
…
18
18
class wp\_slimstat
19
19
{
20
public static $version = '5.0.9';
20
public static $version = '5.0.10';
21
21
public static $settings = array();
22
22
…
…
747
747
}
748
748
749
// Validation the parameter w
750
if (in\_array($w, array('count', 'display\_name', 'hostname', 'post\_link', 'post\_link\_no\_qs', 'dt', 'username', 'post\_link')) == false) {
751
return '<!-- Slimstat Shortcode Error: invalid parameter for w -->';
752
}
753
749
754
// Include the Reports Library, but don't initialize the database, since we will do that separately later
750
755
include\_once(plugin\_dir\_path(\_\_FILE\_\_) . 'admin/view/wp-slimstat-reports.php');
…
…
797
802
}
798
803
804
$w = esc\_html($w);
799
805
$w = self::string\_to\_array($w);
800
806
…
…
882
888
883
889
default:
884
$output\[$result\_idx\]\[$a\_column\] .= $a\_result\[$a\_column\];
890
$output\[$result\_idx\]\[$a\_column\] .= isset($a\_result\[$a\_column\]) ? $a\_result\[$a\_column\] : '';
885
891
break;
886
892
}
wp-slimstat/trunk/admin/view/right-now.php
r2939166
r2959452
34
34
}
35
35
36
$results \= array\_slice(
36
$results \= array\_slice(
37
37
$all\_results,
38
38
wp\_slimstat\_db::$filters\_normalized\['misc'\]\['start\_from'\],
…
…
82
82
// Print visit header?
83
83
if ($i == 0 || $results\[$i - 1\]\['visit\_id'\] != $results\[$i\]\['visit\_id'\] || $results\[$i - 1\]\['ip'\] != $results\[$i\]\['ip'\] || $results\[$i - 1\]\['browser'\] != $results\[$i\]\['browser'\] || $results\[$i - 1\]\['platform'\] != $results\[$i\]\['platform'\] || $results\[$i - 1\]\['username'\] != $results\[$i\]\['username'\]) {
84
85
// Skip error responses
86
if (empty($results\[$i\]\['referer'\])) {
87
continue;
88
}
84
89
85
90
// Color-coded headers
wp-slimstat/trunk/admin/view/wp-slimstat-db.php
r2945907
r2959452
820
820
ORDER BY counthits DESC
821
821
LIMIT 0, %d", self::$filters\_normalized\['misc'\]\['limit\_results'\]);
822
return self::get\_results($sql, $\_args\['group\_by'\],$\_args\['group\_by'\] . ' ASC');
822
return self::get\_results($sql, $\_args\['group\_by'\], $\_args\['group\_by'\] . ' ASC');
823
823
}
824
824
wp-slimstat/trunk/readme.txt
r2958208
r2959452
6
6
Requires PHP: 7.4+
7
7
Tested up to: 6.3
8
Stable tag: 5.0.9
8
Stable tag: 5.0.10
9
9
10
10
\== Description ==
…
…
49
49
50
50
\== Changelog ==
51
\= 5.0.10 =
52
\* \[Fix\] Skip Error Responses: Handling Empty Referer in Results Array
53
\* \[Fix\] Escape shortcode attributes
54
\* \[Fix\] Skip to accept the invalid argus in shortcode
55
\* \[Fix\] Minor improvements & Hardened plugin security
56
51
57
\= 5.0.9 =
52
58
\* \[Fix\] Hardened plugin security and sanitization of GeoIP argument
wp-slimstat/trunk/wp-slimstat.php
r2958208
r2959452
4
4
Plugin URI: https://wp-slimstat.com/
5
5
Description: The leading web analytics plugin for WordPress
6
Version: 5.0.9
6
Version: 5.0.10
7
7
Author: Jason Crouse, VeronaLabs
8
8
Text Domain: wp-slimstat
…
…
18
18
class wp\_slimstat
19
19
{
20
public static $version = '5.0.9';
20
public static $version = '5.0.10';
21
21
public static $settings = array();
22
22
…
…
747
747
}
748
748
749
// Validation the parameter w
750
if (in\_array($w, array('count', 'display\_name', 'hostname', 'post\_link', 'post\_link\_no\_qs', 'dt', 'username', 'post\_link')) == false) {
751
return '<!-- Slimstat Shortcode Error: invalid parameter for w -->';
752
}
753
749
754
// Include the Reports Library, but don't initialize the database, since we will do that separately later
750
755
include\_once(plugin\_dir\_path(\_\_FILE\_\_) . 'admin/view/wp-slimstat-reports.php');
…
…
797
802
}
798
803
804
$w = esc\_html($w);
799
805
$w = self::string\_to\_array($w);
800
806
…
…
882
888
883
889
default:
884
$output\[$result\_idx\]\[$a\_column\] .= $a\_result\[$a\_column\];
890
$output\[$result\_idx\]\[$a\_column\] .= isset($a\_result\[$a\_column\]) ? $a\_result\[$a\_column\] : '';
885
891
break;
886
892
}
Note: See TracChangeset for help on using the changeset viewer.
Related news
WordPress Slimstat Analytics 5.0.9 Cross Site Scripting / SQL Injection
WordPress Slimstat Analytics plugin versions 5.0.9 and below suffer from cross site scripting and remote SQL injection vulnerabilities.