{"id":"CVE-2019-10864","details":"The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request.","modified":"2026-04-10T04:13:56.205991Z","published":"2019-04-23T18:29:00.350Z","references":[{"type":"WEB","url":"https://medium.com/%40aramburu/cve-2019-10864-wordpress-7aebc24751c4"},{"type":"FIX","url":"https://github.com/wp-statistics/wp-statistics/commit/5aec0a08680f0afea387267a8d1b9fbb3379247c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wp-statistics/wp-statistics","events":[{"introduced":"0"},{"last_affected":"8031027e67d4c6a3a4bb20428009cea6583b4e92"},{"fixed":"5aec0a08680f0afea387267a8d1b9fbb3379247c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"12.6.2"}]}}],"versions":["12.0.10","12.0.11","12.0.12","12.0.12.1","12.0.6","12.0.7","12.0.8","12.0.8.1","12.0.9","12.1.0","12.1.1","12.1.2","12.1.3","12.2","12.3","12.3.1","12.3.2","12.3.3","12.3.4","12.3.5","12.3.6","12.3.6.1","12.3.6.2","12.3.6.4","12.4.0","12.4.1","12.4.3","12.5","12.5.1","12.5.2","12.5.3","12.5.4","12.5.5","12.5.6","12.5.7","12.6","12.6.1","12.6.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10864.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}