StatPressCN Plugin for Wordpress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'what1', 'what2', 'what3', 'what4' and 'what5' parameters upon submission to the 'wp-admin/admin.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

OSVDB is not aware of a solution for this vulnerability. The vendor claimed this was fixed in version 1.9.1, but third party evaluations have shown it to still be present.

• CVE ID: 2011-0641 (see also: NVD)
• Secunia Advisory ID: 43016
• Bugtraq ID: 45950
• Other Advisory URL: http://spotthevuln.com/2011/04/charming-xss-uhhh-wait-actually-sql-injection/

• Saif El-Sherei