The WordPress plugin WP Statistics, which has an active installation base of 500k users, has an unauthenticated stored XSS vulnerability on versions prior to 12.6.7. This vulnerability can only be exploited under certain configurations—the default settings are not vulnerable. Timeline 2019/06/26 – Initial contact to the developer. 2019/06/27 – Response from the developer, disclosure of the vulnerability. 2019/06/30 – Patch proposed for review. Continue reading WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations at Sucuri Blog.