– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-15055:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the SlimStat Analytics WordPress plugin. The vulnerability affects the plugin’s Recent Custom Events report, allowing attackers to inject malicious scripts that execute when an administrator views the report. The CVSS score of 7.2 reflects a high-severity risk to site integrity and administrator accounts.

The root cause is insufficient input sanitization and output escaping for user-supplied data stored in the ‘notes’ and ‘resource’ parameters. The vulnerable code resides in the file wp-slimstat/admin/view/wp-slimstat-reports.php. Specifically, lines 1455 and 1514 directly echo the `$a_result[‘notes’]` and `$a_result[‘resource’]` values without proper escaping. The `$a_result` data originates from the plugin’s tracking mechanism, which accepts input from unauthenticated site visitors and stores it in the database for later display in the admin panel.

An attacker exploits this by sending crafted HTTP requests to the site that include malicious JavaScript payloads within the ‘notes’ or ‘resource’ parameters tracked by the SlimStat plugin. These payloads are stored in the WordPress database. The attack vector is unauthenticated, meaning any site visitor can inject the payload. When a WordPress administrator later accesses the ‘Recent Custom Events’ report (wp-admin/admin.php?page=slimstat&module=reports), the stored payloads are rendered without escaping, causing script execution in the administrator’s browser session.

The patch adds proper output escaping functions to all dynamic data outputs in the report rendering logic. In wp-slimstat/admin/view/wp-slimstat-reports.php, the developer wraps `$a_result[‘notes’]` and `$a_result[‘counthits’]` with `esc_html()` on lines 1455 and 1457. The tooltip content for the ‘resource’ parameter is now constructed using `esc_url()` and `esc_html()` on line 1462. The link generation for the ‘resource’ column on line 1514 replaces `htmlentities()` calls with `esc_attr()` and `esc_url()`. Similar `esc_html()` calls are added for user display names and term names in lines 1523, 1525, and 1944. These changes ensure user-controlled data is treated as plain text or safe URLs when output in HTML context, neutralizing the XSS vectors.

Successful exploitation leads to stored XSS within the WordPress admin dashboard. Attackers can hijack administrator sessions, create new administrative accounts, inject backdoors, deface the site, or steal sensitive data. The impact is full compromise of the WordPress installation because the attacker gains the ability to perform any action the compromised administrator can perform.