A non-persistent, cross-site scripting vulnerability (XSS) was found in Piwik’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Piwik user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Piwik users are encouraged to update to the latest version of Piwik. This issue exists in Piwik versions 0.1.6 through 0.5.5.

In Piwik 0.6, the form_url parameter has been removed.


  • CVE-2010-1453 – Login Form XSS

Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.

Any questions?

Many answers and more information about Piwik You can find here:

We are social

Follow us: