{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15055", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-23T15:41:39.208Z", "datePublished": "2026-01-09T06:34:55.531Z", "dateUpdated": "2026-04-08T17:15:39.149Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:39.149Z"}, "affected": [{"vendor": "veronalabs", "product": "SlimStat Analytics", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.3.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report."}], "title": "SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afbfabfc-b923-4fe9-9e8f-0cf159f488db?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3429990/wp-slimstat"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2025-12-19T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-23T19:29:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T17:59:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T19:07:06.944834Z", "id": "CVE-2025-15055", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:10:52.576Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15055", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T19:07:06.944834Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:10:50.287Z"}}], "cna": {"title": "SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "veronalabs", "product": "SlimStat Analytics", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.3.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-23T19:29:25.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T17:59:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afbfabfc-b923-4fe9-9e8f-0cf159f488db?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3429990/wp-slimstat"}], "descriptions": [{"lang": "en", "value": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:39.149Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15055", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:15:39.149Z", "dateReserved": "2025-12-23T15:41:39.208Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T06:34:55.531Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report."}, {"lang": "es", "value": "El plugin SlimStat Analytics para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los par\u00e1metros 'notes' y 'resource' en todas las versiones hasta la 5.3.4, inclusive, debido a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida insuficiente. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un administrador acceda al informe de Eventos Personalizados Recientes."}], "id": "CVE-2025-15055", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T07:16:02.313", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3429990/wp-slimstat"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afbfabfc-b923-4fe9-9e8f-0cf159f488db?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:29:09.455912+00:00", "value": {"mitigation_remediation": ["Upgrade the SlimStat Analytics plugin to the latest available version, or apply any vendor\u2011supplied patch that addresses the stored XSS flaw.", "If an upgrade cannot be performed immediately, restrict access to the plugin\u2019s administrative interface so that only authenticated users can load the Recent Custom Events report, and block or filter the notes and resource parameters through server\u2011side rules or a web application firewall.", "Apply runtime XSS mitigations such as enforcing strict output escaping for any user\u2011generated content, attaching a Content Security Policy header to prevent inline script execution, and enabling the X\u2011XSS\u2011Protection response header.", "Consider employing a web application firewall or security plugin to detect and block suspicious JavaScript payloads submitted to the plugin\u2019s endpoints."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Veron Labs SlimStat Analytics, all releases up to and including version 5.3.4.", "description_and_impact": "The SlimStat Analytics plugin for WordPress is vulnerable to stored XSS through the notes and resource parameters. Insufficient input sanitization and output escaping allow an unauthenticated attacker to embed arbitrary JavaScript in the plugin\u2019s data. The injected code is persisted and executed whenever an administrator opens the Recent Custom Events report, potentially compromising the session by delivering client\u2011side malicious scripts.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, while the EPSS score of\u202f<\u202f1% suggests a low to moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending unauthenticated HTTP requests to the vulnerable endpoints; no authentication or privileged access is required for injection."}}}}, "created": "2026-01-09T13:23:23.337644+00:00", "updated": "2026-04-21T00:30:22.980377+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp-slimstat", "wp-slimstat$PRODUCT$slimstat_analytics"]}