CVE-2023-4774 in WP-Matomo Integration Plugin
Summary
by MITRE • 09/22/2023
The WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/10/2026
The WP-Matomo Integration plugin for WordPress represents a widely used tool that enables website administrators to integrate Matomo analytics tracking into their WordPress sites. This particular vulnerability affects versions up to and including 1.0.28, where the plugin fails to properly sanitize user-supplied input within its wp-piwik shortcode implementation. The vulnerability manifests as a stored cross-site scripting flaw that allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts that persist in the application's database. This type of vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically representing a stored variant where the malicious payload is permanently stored and executed during subsequent page requests. The attack vector leverages the shortcode functionality which processes user-provided attributes without adequate sanitization or escaping mechanisms, creating an environment where malicious code can be injected and executed whenever legitimate users access pages containing the compromised shortcode.
The technical exploitation of this vulnerability requires an attacker to possess contributor-level privileges or higher within the WordPress environment, which is a relatively low barrier to entry since contributors typically have significant write access to posts and pages. When an attacker injects malicious JavaScript through the wp-piwik shortcode attributes, the code gets stored in the WordPress database and executed whenever any user accesses pages containing the affected shortcode. This creates a persistent threat vector that can affect any user who views pages with the compromised content, regardless of their permission level or authentication status. The vulnerability's impact extends beyond simple script execution as it can enable more sophisticated attacks such as session hijacking, credential theft, or redirection to malicious sites. The stored nature of the XSS means that the malicious code remains active until manually removed from the database, potentially affecting numerous users over extended periods.
The operational impact of this vulnerability creates significant security risks for WordPress sites using the affected plugin version, particularly those with multiple contributors or users who may inadvertently access compromised pages. Attackers can leverage this vulnerability to steal user sessions, modify content, redirect users to phishing sites, or perform actions on behalf of legitimate users. The vulnerability's presence in a widely-used analytics plugin means that attackers can potentially compromise numerous websites simultaneously, as the plugin's functionality is commonly implemented across various WordPress installations. Organizations using this plugin face potential data breaches, unauthorized access to sensitive information, and damage to their reputation due to the persistence of the malicious scripts. This vulnerability also represents a significant concern for compliance with security standards such as those outlined in the OWASP Top Ten, specifically addressing the risks associated with insufficient input validation and output encoding.
Mitigation strategies for this vulnerability should include immediate patching of the WP-Matomo Integration plugin to version 1.0.29 or later, which contains the necessary sanitization and escaping fixes. Administrators should also implement proper access controls to limit contributor-level permissions to only trusted individuals, as this reduces the attack surface for exploitation. Additional defensive measures include monitoring for unauthorized shortcode modifications, implementing content security policies to limit script execution, and conducting regular security audits of plugin installations. The vulnerability demonstrates the importance of proper input validation and output escaping as outlined in the ATT&CK framework's techniques for command and control operations. Organizations should also consider implementing web application firewalls and security monitoring solutions to detect and prevent exploitation attempts, while maintaining regular updates to all WordPress plugins and core software to ensure protection against known vulnerabilities.