As is often the case, Automattic’s WPScan recently claimed that a vulnerability in a WordPress plugin had been fixed when it hadn’t. This time it involved the plugin WP Visitor Statistics and an authenticated persistent cross-site scripting (XSS) vulnerability. It is hard to understand how they got that wrong in this instance.

…

[Read more]