CVE-2024-2194

Name of the Vulnerable Software and Affected Versions WP Statistics plugin for WordPress versions up to, and including, 14.5

Description The issue exists due to insufficient input sanitization and output escaping, allowing an attacker to inject arbitrary web scripts in pages. This can lead to Stored Cross-Site Scripting (XSS) attacks. The vulnerability can be exploited via the URL search parameter. It is estimated that over 600,000 WordPress websites are potentially affected. Exploiting the flaw does not require an attacker to have an existing account on the targeted website, lowering the barrier to entry for attacks.

Recommendations For WP Statistics plugin for WordPress versions up to, and including, 14.5, update to a version higher than 14.5 to resolve the issue. As a temporary workaround, consider restricting access to the URL search parameter to minimize the risk of exploitation. Avoid using the URL search parameter in affected pages until the issue is resolved.