Title: WordPress 'Simple Visitor Stat' plugin - Stored XSS
Reported by: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/simple-visitor-stat/
----------------------------------------------------------------

## Description: 
----------------------------------------------------------------
Keep track of your site visitor's details like Country, IP, Referrer, User Agent, visit time. Its very light plugin that doesn't effect your page loading speed.Its simple and easy.


## Stored XSS:
----------------------------------------------------------------
When the plugin registers a page visit with a new IP (or an old IP visiting a new page) it stores the User agent and Referer unsanitized in the DB. 

This allows an attacker to perform XSS, just by visiting the site. The injected script will be executed when an admin visits the Visitor Stat page in the admin panel. 

# Vulnerable code - simple-visitor-stat.php:

$u_ip = $_SERVER['REMOTE_ADDR'];
$u_ua = $_SERVER['HTTP_USER_AGENT'];
$referrer = $_SERVER['HTTP_REFERER'];

$check = $wpdb->get_results("select id from ".$wpdb->prefix."svisitor_stat where ip = '".$u_ip."' and page = '".$page."'");
if($check){
  $query = "update ".$wpdb->prefix."svisitor_stat set vcount = vcount+1,vtime = now() where ip = '".$u_ip."' and page = '".$page."'";
  $wpdb->query($query);
}
else
{
  $query = "insert into ".$wpdb->prefix."svisitor_stat (ip,referrer,ua,page,vcount,vtime) values('".$u_ip."','".$referrer."','".$u_ua."','".$page."',1,now())";
  $wpdb->query($query);
}

# PoC:
Just change the User agent, url or the referer header to include: <script>alert(document.cookie);</script> 

## Solution
----------------------------------------------------------------
No fix have been released. 

WordPress have been notified and the plugin has been closed until it is updated.