Vulnerabilities and security researches forwp-slimstat wp-slimstat

Direction: descending

Feb 27, 2026

SlimStat Analytics # CVE-2025-69323

CVE, Research URL: CVE-2025-69323
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Feb 20, 2026
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2.
Affected versions: max 5.3.2.
Status: vulnerable

SlimStat Analytics # CVE-2025-13431

CVE, Research URL: CVE-2025-13431
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Feb 11, 2026
Research Description: The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 5.3.2.
Status: vulnerable

Jan 27, 2026

SlimStat Analytics # CVE-2025-15055

CVE, Research URL: CVE-2025-15055
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Jan 09, 2026
Research Description: The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report.
Affected versions: max 5.3.5.
Status: vulnerable

SlimStat Analytics # CVE-2025-15057

CVE, Research URL: CVE-2025-15057
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Jan 09, 2026
Research Description: The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report.
Affected versions: max 5.3.4.
Status: vulnerable

SlimStat Analytics # CVE-2025-14151

CVE, Research URL: CVE-2025-14151
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Dec 19, 2025
Research Description: The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 5.3.3.
Status: vulnerable

Oct 16, 2024

SlimStat Analytics # CVE-2024-9548

CVE, Research URL: CVE-2024-9548
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Oct 15, 2024
Research Description: The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the resource parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping when logging visitor requests. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 5.2.7.
Status: vulnerable

Jun 10, 2024

SlimStat Analytics # CVE-2023-33994

CVE, Research URL: CVE-2023-33994
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in Jason Crouse, VeronaLabs Slimstat Analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slimstat Analytics: from n/a through 5.0.5.1.
Affected versions: max 5.0.6.
Status: vulnerable

Jun 07, 2024

SlimStat Analytics # CVE-2015-1204

CVE, Research URL: CVE-2015-1204
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Jan 21, 2015
Research Description: Cross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fs[resource] parameter in the wp-slim-view-2 page to wp-admin/admin.php.
Affected versions: max 3.9.3.
Status: vulnerable

SlimStat Analytics # CVE-2014-100027

CVE, Research URL: CVE-2014-100027
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Jan 13, 2015
Research Description: Cross-site scripting (XSS) vulnerability in the WP SlimStat plugin before 3.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
Affected versions: max 3.9.6.
Status: vulnerable

SlimStat Analytics # CVE-2019-15112

CVE, Research URL: CVE-2019-15112
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Aug 21, 2019
Research Description: The wp-slimstat plugin before 4.8.1 for WordPress has XSS.
Affected versions: max 4.8.1.
Status: vulnerable

SlimStat Analytics # CVE-2015-9273

CVE, Research URL: CVE-2015-9273
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Oct 07, 2018
Research Description: The wp-slimstat (aka Slimstat Analytics) plugin before 4.1.6.1 for WordPress has XSS via an HTTP Referer header, or via a field associated with JavaScript-based Referer tracking.
Affected versions: max 4.1.6.1.
Status: vulnerable

SlimStat Analytics # CVE-2023-0630

CVE, Research URL: CVE-2023-0630
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Mar 20, 2023
Research Description: The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.
Affected versions: max 4.9.4.
Status: vulnerable

SlimStat Analytics # CVE-2022-45366

CVE, Research URL: CVE-2022-45366
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: May 25, 2023
Research Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Jason Crouse, VeronaLabs Slimstat Analytics plugin <= 5.0.4 versions.
Affected versions: max 5.0.5.
Status: vulnerable

SlimStat Analytics # CVE-2022-45373

CVE, Research URL: CVE-2022-45373
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Nov 06, 2023
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jason Crouse, VeronaLabs Slimstat Analytics allows SQL Injection.This issue affects Slimstat Analytics: from n/a through 5.0.4.
Affected versions: max 2.8.5.
Status: vulnerable

SlimStat Analytics # CVE-2022-4310

CVE, Research URL: CVE-2022-4310
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Jan 10, 2023
Research Description: The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs
Affected versions: max 3.9.6.
Status: vulnerable

SlimStat Analytics # CVE-2024-1073

CVE, Research URL: CVE-2024-1073
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Feb 02, 2024
Research Description: The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filter_array' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 5.1.4.
Status: vulnerable

SlimStat Analytics # CVE-2023-40676

CVE, Research URL: CVE-2023-40676
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Sep 27, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jason Crouse, VeronaLabs Slimstat Analytics plugin <= 5.0.8 versions.
Affected versions: max 5.0.9.
Status: vulnerable

SlimStat Analytics # CVE-2023-4597

CVE, Research URL: CVE-2023-4597
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Aug 30, 2023
Research Description: The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slimstat' shortcode in versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 5.0.10.
Status: vulnerable

SlimStat Analytics # CVE-2023-4598

CVE, Research URL: CVE-2023-4598
Home page URL: Security reports for SlimStat Analytics
Application: SlimStat Analytics
Date: Oct 20, 2023
Research Description: The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 5.1.4.
Status: vulnerable