WordPress Plugin Vulnerability Report – Hotjar – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2023-1259

Plugin Name: Hotjar

Key Information:

  • Software Type: Plugin
  • Software Slug: hotjar
  • Software Status: Removed
  • Software Author: hotjar
  • Software Downloads: 868,850
  • Active Installs: 100,000
  • Last Updated: October 5, 2023
  • Patched Versions: Not yet patched
  • Affected Versions: <=1.0.15

Vulnerability Details:

  • Name: Hotjar <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-1259
  • CVSS Score: 4.4 (Medium)
  • Publicly Published: October 5, 2023
  • Researcher: Marco Wotschka
  • Description: The Hotjar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the hotjar_site_id in versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.


The Hotjar plugin for WordPress has a vulnerability in versions up to and including 1.0.15 that allows authenticated users with admin privileges to inject malicious scripts into pages. This vulnerability has not yet been patched.

Detailed Overview:

The Hotjar plugin is vulnerable to stored cross-site scripting in versions up to and including 1.0.15, according to security researcher Marco Wotschka. The vulnerability is due to insufficient sanitization of the hotjar_site_id parameter, allowing authenticated admins to inject arbitrary JavaScript that will execute when pages containing the payload are loaded by users. This exposes sites to serious risks of takeover, data exfiltration and more in the event an admin account is compromised. The vulnerability is exploitable in multisite installations and where the unfiltered_html capability has been disabled for security reasons. Hotjar has not yet issued a fix, so sites running affected versions should consider discontinuing use of this plugin or limiting admin access until a patch is available.

Advice for Users:

  1. Immediate Action: Disable the Hotjar plugin or limit admin access if possible until a fix is released.
  2. Check for Signs of Vulnerability: Review pages and posts for unexpected JavaScript or iFrames that could indicate malicious scripts were injected. Also check for unauthorized admin accounts.
  3. Alternate Plugins: Consider using alternatives like MonsterInsights for analytics until Hotjar patches this issue.
  4. Stay Updated: Always keep plugins updated and review changelogs to ensure you're running secure versions.


This serious stored XSS vulnerability in Hotjar underscores the importance of timely security updates for plugins. Users should ensure they are running the latest plugin versions and restrict admin access where possible as a precaution until a fix for CVE-2023-1259 is available.




Detailed Report:

Keeping your WordPress website and its plugins up-to-date is one of the most important things you can do to maintain security. Unfortunately, a serious vulnerability was recently disclosed in the Hotjar plugin that allows authenticated users with admin access to inject malicious scripts into your site. This cross-site scripting (XSS) flaw affects all versions up to and including 1.0.15, leaving over 100,000 sites open to attack according to active install figures. If you use Hotjar for analytics or feedback polls, you should immediately restrict admin access if possible and consider alternatives until a fix is available. In this post, we'll explain the risks this poses and steps you can take to lock down your site. We're also happy to offer a free security review to help ensure your site is fully protected. Don't wait to update plugins and lock down access - it only takes one vulnerability to lead to a site takeover.

Hotjar is a popular WordPress plugin with over 868,000 downloads. It provides website analytics and user feedback features like heatmaps, recordings, and polls. The plugin is developed by Hotjar Ltd. and the current version is 1.0.15.

Unfortunately, all versions up to and including 1.0.15 contain a serious vulnerability that allows authenticated administrators to inject malicious scripts into pages and posts. This stored cross-site scripting (XSS) flaw was disclosed on October 5, 2023 by researcher Marco Wotschka and has been assigned CVE identifier CVE-2023-1259.

Specifically, the issue is due to insufficient sanitization of the hotjar_site_id parameter. By inserting JavaScript payloads into this variable, an admin can cause the code to be stored in the database and executed whenever a page or post is viewed by any user. This could allow takeover of user accounts, installation of cryptominers, data exfiltration and more.

The flaw affects multisite installations and sites where the unfiltered_html capability has been restricted. Hotjar has not yet provided a fix, so sites running vulnerable versions should immediately take steps to minimize risk.

If your site utilizes the Hotjar plugin, you should take these actions right away:

  • Disable the plugin if you don't need its functionality until a patch is issued.
  • Restrict administrative access to trusted users only.
  • Monitor posts and pages for unauthorized edits or unexpected JavaScript.
  • Consider migrating to an alternate analytics plugin like MonsterInsights.
  • Sign up for vulnerability notifications about the plugins you use.

Staying on top of vulnerabilities in WordPress and its plugins is challenging, especially for small business owners without dedicated technical teams. However, timely security updates are absolutely critical to avoid compromises. If you need help keeping your site safe, consider contracting an expert for monitoring and maintenance. We also recommend enabling automatic background updates for the core WordPress software and any plugins you use.

This vulnerability underscores the importance of restricting admin access, monitoring for unauthorized changes, and updating plugins promptly when fixes are released. By taking a proactive approach to security, you can avoid becoming the next victim of a serious exploit like this stored XSS flaw in Hotjar.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – Hotjar – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2023-1259 FAQs

Leave a Comment