The Advanced Page Visit Counter WordPress plugin before 6.1.6 does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injection
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| advanced_page_visit_counter_project | advanced_page_visit_counter | * |
The Advanced Page Visit Counter WordPress plugin before 6.1.2 does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| advanced_page_visit_counter_project | advanced_page_visit_counter | * |