CVE-2022-25305: 
WordPress vulnerability analysis and mitigation

The WP Statistics WordPress plugin versions below 13.1.6 contained a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-25305. The vulnerability was discovered in February 2022 and affected over 600,000 active installations. The issue stemmed from insufficient escaping and sanitization of the IP, browser, and platform parameters in the ~/includes/class-wp-statistics-hits.php file (WPScan).

The vulnerability existed due to improper sanitization of user input in the /wp-json/wp-statistics/v2/hit endpoint. Specifically, the IP parameter could be manipulated to inject malicious JavaScript code that would be stored and later executed when administrators viewed the site's statistics pages. The vulnerability received a CVSS score of 7.2 (High) (Wordfence).

When exploited, this vulnerability allowed attackers to inject arbitrary web scripts that would execute when site administrators accessed the WP Statistics dashboard at wp-admin/admin.php?page=wps_overview_page or related pages. This could potentially lead to unauthorized actions being performed with administrator privileges (WPScan).

The vulnerability was patched in WP Statistics version 13.1.6. Site administrators were advised to update to this version or later to protect against this security issue (WPScan).