CVE-2021-25042

Name of the Vulnerable Software and Affected Versions WP Visitor Statistics (Real Time Traffic) versions prior to 5.5

Description The issue concerns a lack of authorization and CSRF checks in the updateIpAddress AJAX action. This allows any authenticated user to call the action or make a logged-in user do it via a CSRF attack, enabling the addition of an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitization, and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged-in admins.

Recommendations For versions prior to 5.5, update to version 5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the updateIpAddress AJAX action to prevent unauthorized calls until a patch is applied. Additionally, restrict the ability of users to set arbitrary IP addresses to exclude, to minimize the risk of Cross-Site Scripting attacks.