Impact
Unauthenticated deserialization of untrusted data in WordPress Slimstat Analytics plugin versions prior to 5.4.0 allows an attacker to supply malicious input that is unchecked during processing, and based on the description, it is inferred that this could lead to remote code execution or other arbitrary behavior, as identified by CWE-502.
Affected Systems
VeronaLabs Slimstat Analytics plugin for WordPress users running any version older than 5.4.0 is affected. No specific minor releases are listed, so all earlier releases remain vulnerable.
Risk and Exploitability
The CVSS score of 6.5 indicates a moderate risk, compounded by the lack of an authentication requirement. EPSS is not provided, and the vulnerability is not currently in CISA KEV, but the ability to exploit it without credentials means that an attacker can target the plugin directly via a specially crafted request, especially one sent to the plugin’s REST or AJAX endpoints, which is likely the entry point.
OpenCVE Enrichment