WP Statistics < 14.5.1 - Unauthenticated Stored Cross-Site Scripting

Description The plugin does not properly escape visited URLs which are reflected on the plugin’s dashboard.

PoC

Visit one same page multiple times so it makes it to the most visited pages, adding the following “utm_id” parameter to it: http://vulnerable-site.tld/attacked-page/?utm_id="><img%2Fsrc=x onerror%3Dalert(123)%2F%2F>