Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross Site Scripting
Action: Apply Patch
AI Analysis

Impact

Improper Neutralization of Input During Web Page Generation allows an attacker to embed malicious scripts that execute in the context of the victim’s browser. The reflected XSS flaw is present in all releases of Slimstat Analytics up to and including version 5.3.2, enabling code injection that could lead to session hijacking, defacement, or data exfiltration on affected sites.

Affected Systems

The vulnerability impacts the VeronaLabs Slimstat Analytics WordPress plugin. Any installation of the plugin with a version number from the earliest released build through 5.3.2 is susceptible. Organization owners should verify the plugin version and confirm whether it falls within the affected range.

Risk and Exploitability

The CVSS score of 7.1 indicates considerable risk to confidentiality and integrity, while the EPSS score of less than 1% suggests that active exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, and no known public exploit has been reported. Likely attack vectors involve embedding crafted query parameters or form inputs that are reflected unescaped in the plugin’s output. An attacker would need access to a page that includes the plugin, but no elevated privileges are required to exploit the flaw.

Generated by OpenCVE AI on April 27, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VeronaLabs Slimstat Analytics to version 5.3.3 or later, which removes the input sanitization flaw.
  • If an upgrade is not immediately possible, block or sanitize all query parameters and form inputs that are echoed by the plugin, ensuring that no script tags or JavaScript code can be reflected in responses.
  • Implement a content security policy that disallows inline scripts on pages served by the plugin to mitigate the effect of any residual XSS payloads.

Generated by OpenCVE AI on April 27, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Veronalabs
Veronalabs slimstat Analytics
Wordpress
Wordpress wordpress
Vendors & Products Veronalabs
Veronalabs slimstat Analytics
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2.
Title WordPress Slimstat Analytics plugin <= 5.3.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Veronalabs Slimstat Analytics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:52:17.090Z

Reserved: 2025-12-31T20:12:18.799Z

Link: CVE-2025-69323

cve-icon Vulnrichment

Updated: 2026-02-23T21:37:17.507Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:19.530

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses