CVE-2022-25306

Name of the Vulnerable Software and Affected Versions WP Statistics versions up to and including 13.1.5

Description The issue arises from insufficient escaping and sanitization of the browser parameter in the ~/includes/class-wp-statistics-visitor.php file, allowing attackers to inject arbitrary web scripts onto several pages. These scripts execute when site administrators view a site's statistics.

Recommendations For versions up to and including 13.1.5, update to a version that includes the necessary escaping and sanitization fixes for the browser parameter to prevent Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the statistics pages for site administrators until a patch is available.