Wordpress StatCounter <= 2.0.6 - Admin+ Stored XSS

StatCounter is a free web traffic analysis service, which provides summary stats on all wordpress traffic and a detailed analysis of last 500 page views. StatCounter is used by 100,000+ wordpress web site. To use this service in wordpress, it is needed to install and activate the plugin.

A stored XSS vulnerability has been discovered in StatCounter Wordpress Plugin’s admin panel. The plugin versions prior to 2.06 are affected by this vulnerability.

The vulnerability is due to that values of the configuration parameters are not sanitized. The parameters which causing the vulnerability are Project ID and Secure Code. These parameters are stored and reflected to StatCounter Stats page available under “Dashboard” menu item, and settings page of the StatCounter plugin.

The vulnerability can be used by an attacker, to takeover the other admin users' sessions. The details of the discovery are given below. There will be much more reviews and researches, stay close!