Skip to main content

Visitor Details CVE-2025-25132

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:18 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ravi Singh Visitor Details allows Stored XSS. This issue affects Visitor Details: from n/a through 1.0.1.

AnalysisAI

Stored cross-site scripting (XSS) in the Visitor Details WordPress plugin through version 1.0.1 allows remote unauthenticated attackers to inject malicious scripts that execute when authenticated users view visitor logs. The vulnerability leverages improper input sanitization in user-controllable fields (likely visitor metadata like User-Agent, referrer, or custom parameters). Exploitation requires victim interaction (UI:R) with the modified scope (S:C) enabling attacks beyond the vulnerable plugin's context. EPSS exploitation probability is low at 0.09% (26th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a moderate-priority remediation for sites using this plugin in administrative contexts.

Technical ContextAI

This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Visitor Details WordPress plugin, which logs and displays visitor activity data to site administrators. The flaw occurs when the plugin stores attacker-supplied input-typically transmitted via HTTP headers (User-Agent, Referer), query parameters, or POST data during normal site visits-without proper HTML encoding or sanitization. When administrators later view visitor logs through the WordPress dashboard, the stored malicious JavaScript executes in their browser session. The changed scope (S:C) in the CVSS vector indicates the vulnerability affects resources beyond the plugin itself, enabling attackers to target WordPress core admin functions, other plugins, or exfiltrate session tokens. As a stored XSS, the payload persists in the database and triggers repeatedly until removed, unlike reflected XSS which requires per-victim delivery.

Affected ProductsAI

The vulnerability affects all versions of the Visitor Details WordPress plugin from initial release through version 1.0.1, developed by ravi Singh. The plugin is distributed through the WordPress.org plugin repository and is designed to track and display visitor activity including IP addresses, geographic data, browser information, and referral sources. Installations running version 1.0.1 or earlier are confirmed vulnerable per Patchstack advisory at https://patchstack.com/database/wordpress/plugin/visitors-details/vulnerability/wordpress-visitor-details-plugin-1-0-1-cross-site-scripting-xss-vulnerability. No specific CPE identifier is provided in available data. The plugin primarily targets WordPress administrators and site owners who monitor visitor analytics, placing administrative users at risk when reviewing logged data.

RemediationAI

Immediately update Visitor Details plugin to a patched version newer than 1.0.1 if available through the WordPress plugin repository. Check the official plugin page at wordpress.org/plugins/visitors-details for update availability, though no specific patched version number has been independently confirmed in available data sources. If no update exists, deactivate and uninstall Visitor Details plugin entirely, then audit the WordPress database (wp_options or custom tables created by the plugin) to remove stored visitor logs containing potential XSS payloads by searching for script tags, JavaScript event handlers, or encoded payloads in visitor metadata fields. As a temporary compensating control if the plugin must remain active, restrict dashboard access to the visitor logs page using role-based access control plugins, limiting exposure to only essential administrators, though this reduces attack surface rather than eliminating the vulnerability. Implement Web Application Firewall (WAF) rules to block common XSS patterns in User-Agent and Referer headers before they reach WordPress, noting this may generate false positives for legitimate browsers with unusual fingerprints. Consider alternative visitor tracking solutions with active security maintenance such as Jetpack Stats, MonsterInsights, or server-level analytics tools like Matomo that separate tracking from admin interfaces. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/visitors-details/vulnerability/wordpress-visitor-details-plugin-1-0-1-cross-site-scripting-xss-vulnerability for vendor communication status and patch timeline.

Share

CVE-2025-25132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy