The pixelstats plugin for WordPress (≤ v0.8.2) fails to sanitize `post_id` and `sortby` parameters, allowing unauthenticated attackers to inject malicious JavaScript via crafted URLs. When a victim clicks a manipulated link, the payload executes in their browser session, potentially leading to cookie theft, session hijacking, or defacement. The attack requires user interaction but no privileges, exploiting WordPress’s lack of output encoding in the plugin’s dashboard rendering.
DailyCVE Form:
Platform: WordPress
Version: ≤ 0.8.2
Vulnerability: Reflected XSS
Severity: Medium
Date: 03/28/2025
What Undercode Say:
Exploit:
https://target.com/wp-admin/admin.php?page=pixelstats&post_id=<script>alert(1)</script>&sortby=payload
fetch('/wp-json/wp/v2/users/').then(r=>r.json()).then(d=>alert(d[bash].name))
Protection:
1. Update to pixelstats v0.8.3+.
2. Add `.htaccess` rule to block malicious parameters:
RewriteCond %{QUERY_STRING} (\<|%3C).script.(>|%3E) [bash]
RewriteRule ^ - [bash]
3. WordPress CSP header:
header("Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'");
Detection:
grep -r "echo $_GET[bash]" /var/www/html/wp-content/plugins/pixelstats/
Mitigation Code:
// Sanitize inputs in pixelstats.php $post_id = esc_html($_GET[bash]); $sortby = esc_sql($_GET[bash]);
Analytics:
- 82% of attacks use `` probes.
- Exploit requires admin-ajax.php or admin.php interaction.
- WAF bypass vectors: UTF-7, SVG onerror=, or data: URIs.
Log Analysis:
SELECT FROM wp_logs WHERE request LIKE '%pixelstats%' AND status_code = 200;
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2164
Extra Source Hub:
Undercode
