A vulnerability in wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php
script of the WordPress Traffic Analyzer plug-in version 3.3.2 could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks.
The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by persuading a user to visit a malicious URL that could submit a crafted aoid
parameter to the vulnerable script. If successful, it could allow the attacker to execute arbitrary HTML and script code in the user's browser session under the context of the affected site. This could allow the attacker to access sensitive browser-based information such as cookie-based authentication credentials or recently submitted data.
Proof-of-concept code that exploits this vulnerability is publicly available.
Users should verify that unsolicited links are safe to follow.
For additional information about XSS attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
WordPress has released a changelog at the following link: Traffic Analyzer
. WordPress has released updated software at the following link: Traffic Analyzer 3.4.0