open core »

Statpress plugin XSS vulnerability disclosure

I’m writing this post in english because it might be helpful to many people around the world that use this plugin.

The visitor statistics plugin for Wordpress, called Statpress has a dangerous XSS vulnerability that I’ve found in the referer and user agent that allows an attacker to execute Javascript code.

For those who don’t know, the referer is the last URL the visitor was in before entering your blog, and the user agent is the web browser he used to surf your blog.

It’s pretty easy for a developer to believe that these data fields would never be manipulated, but in fact, using widely available tools, everyone can change them to Javascript code that will be executed when the blog’s admin visits the Statpress statistics page.

What could happen? Well, it depends on the attacker’s creativity. He could just redirect the admin to a cloned Wordpress login page to capture his password, or he could be more subtle and steal the admin’s cookie and easily gain access without him never knowing.

What can you do to solve this problem? Well, since I’m a Statpress user myself, I tried to contact the author almost one month ago, when I found this vulnerability. Until now,  I got no response, so I decided to patch the problem myself (yep, the power of open source :D).

You can download here my patched statpress.php until the author releases the official one. I've tried it on my blog and it works. Instead of executing the Javascript code, just displays it, so admins can notice that someone attempted to own the blog :)

Patch note: To apply the patch just extract it and overwrite your statpress.php located in the plugins/wp-statpress directory, with this provided statpress.php.

Update: The author has released the official update. Check here.