{"id":"CVE-2022-1005","details":"The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters","modified":"2026-04-10T04:42:34.038497Z","published":"2022-06-08T10:15:09.237Z","references":[{"type":"EVIDENCE","url":"https://wpscan.com/vulnerability/f37d1d55-10cc-4202-8d16-9ec2128f54f9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wp-statistics/wp-statistics","events":[{"introduced":"0"},{"fixed":"5adce98f45c31e3f7104c4e18d66beaabfdda9b4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"13.2.2"}]}}],"versions":["12.0.10","12.0.11","12.0.12","12.0.12.1","12.0.6","12.0.7","12.0.8","12.0.8.1","12.0.9","12.1.0","12.1.1","12.1.2","12.1.3","12.2","12.3","12.3.1","12.3.2","12.3.3","12.3.4","12.3.5","12.3.6","12.3.6.1","12.3.6.2","12.3.6.4","12.4.0","12.4.1","12.4.3","12.5","12.5.1","12.5.2","12.5.3","12.5.4","12.5.5","12.5.6","12.5.7","12.6","12.6.1","12.6.10","12.6.11","12.6.12","12.6.13","12.6.2","12.6.3","12.6.4","12.6.5","12.6.6","12.6.7","12.6.8","12.6.9","13.0","13.0.3","13.0.4","13.0.5","13.0.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-1005.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}