CVE-2022-25306: 
WordPress vulnerability analysis and mitigation

The WP Statistics WordPress plugin was found to contain a Cross-Site Scripting (XSS) vulnerability in versions up to and including 13.1.5. The vulnerability was discovered on February 13, 2022, and was assigned CVE-2022-25306. The issue affects the browser parameter in the ~/includes/class-wp-statistics-visitor.php file, which lacked proper escaping and sanitization (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 MEDIUM according to NVD, while Wordfence assessed it at 7.2 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). The vulnerability allows attackers to inject arbitrary web scripts that execute when site administrators view the site's statistics (NVD, Wordfence Advisory).

When exploited, this vulnerability allows attackers to inject malicious web scripts that execute in the context of site administrators when they view the statistics pages. This could potentially lead to unauthorized actions being performed with administrator privileges (NVD).

The vulnerability was patched in version 13.1.6 of the WP Statistics plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).