CVE-2025-15057 - Vulnerability Details

- SlimStat Analytics <= 5.3.3 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter

Description

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report.

Published: 2026-01-09

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The SlimStat Analytics plugin for WordPress contains a stored cross‑site scripting flaw that stems from insufficient input sanitization on the `fh` (fingerprint) parameter. When a malicious value is supplied via this parameter, it is saved into the database without escaping. Consequently, any time an administrator opens the Real‑time Access Log report the script is rendered and executed, potentially enabling the attacker to steal session cookies, perform unauthorized actions, or deface the site. The core weakness is reflected in CWE‑79.

Affected Systems

The flaw exists in all official releases of the SlimStat Analytics plugin up to and including version 5.3.3. Users of these or earlier versions are vulnerable; the vulnerability does not affect versions 5.3.4 and later, where input validation has been added.

Risk and Exploitability

The vulnerability has a CVSS base score of 7.2, indicating high impact. The EPSS score is less than 1 %, suggesting it is not widely exploited in the wild so far. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is an unauthenticated web request that injects a malicious `fh` value; this request can be crafted by an external attacker or a compromised user who can write to the database via the plugin’s interface. Once the payload is stored, any administrator who views the report will trigger execution of the injected script.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

veronalabs

SlimStat Analytics

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.3.3

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—
Wp-slimstat	Slimstat Analytics	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the SlimStat Analytics plugin to version 5.3.4 or later, which includes proper input validation for the fh parameter
If an upgrade is not immediately possible, temporarily disable the Real‑time Access Log feature or set the plugin to no‑log mode to prevent the script from being displayed
Implement a web application firewall rule to block or sanitize attempts to inject scripts via the fh parameter before they reach the plugin

Generated by OpenCVE AI on April 21, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3428488/wp-slimstat
https://www.wordfence.com/threat-intel/vulnerabilities/id/90920df9-1362-466b-b14b-4714087f556b?source=cve

History

Fri, 09 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wp-slimstat Wp-slimstat slimstat Analytics
Vendors & Products		Wordpress Wordpress wordpress Wp-slimstat Wp-slimstat slimstat Analytics

Fri, 09 Jan 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report.
Title		SlimStat Analytics <= 5.3.3 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3428488/wp-slimstat https://www.wordfence.com/threat-intel/vulnerabilities/id/90920df9-1362-466b-b14b-4714087f556b?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Wp-slimstat Slimstat Analytics

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-09T06:34:55.004Z

Updated: 2026-04-08T17:06:47.430Z

Reserved: 2025-12-23T19:12:52.860Z

Link: CVE-2025-15057

Vulnrichment

Updated: 2026-01-09T19:10:39.396Z

NVD

Status : Deferred

Published: 2026-01-09T07:16:02.483

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15057

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T16:45:15Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object