Visitor Details CVE-2025-25132
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ravi Singh Visitor Details allows Stored XSS. This issue affects Visitor Details: from n/a through 1.0.1.
AnalysisAI
Stored cross-site scripting (XSS) in the Visitor Details WordPress plugin through version 1.0.1 allows remote unauthenticated attackers to inject malicious scripts that execute when authenticated users view visitor logs. The vulnerability leverages improper input sanitization in user-controllable fields (likely visitor metadata like User-Agent, referrer, or custom parameters). Exploitation requires victim interaction (UI:R) with the modified scope (S:C) enabling attacks beyond the vulnerable plugin's context. EPSS exploitation probability is low at 0.09% (26th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a moderate-priority remediation for sites using this plugin in administrative contexts.
Technical ContextAI
This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Visitor Details WordPress plugin, which logs and displays visitor activity data to site administrators. The flaw occurs when the plugin stores attacker-supplied input-typically transmitted via HTTP headers (User-Agent, Referer), query parameters, or POST data during normal site visits-without proper HTML encoding or sanitization. When administrators later view visitor logs through the WordPress dashboard, the stored malicious JavaScript executes in their browser session. The changed scope (S:C) in the CVSS vector indicates the vulnerability affects resources beyond the plugin itself, enabling attackers to target WordPress core admin functions, other plugins, or exfiltrate session tokens. As a stored XSS, the payload persists in the database and triggers repeatedly until removed, unlike reflected XSS which requires per-victim delivery.
Affected ProductsAI
The vulnerability affects all versions of the Visitor Details WordPress plugin from initial release through version 1.0.1, developed by ravi Singh. The plugin is distributed through the WordPress.org plugin repository and is designed to track and display visitor activity including IP addresses, geographic data, browser information, and referral sources. Installations running version 1.0.1 or earlier are confirmed vulnerable per Patchstack advisory at https://patchstack.com/database/wordpress/plugin/visitors-details/vulnerability/wordpress-visitor-details-plugin-1-0-1-cross-site-scripting-xss-vulnerability. No specific CPE identifier is provided in available data. The plugin primarily targets WordPress administrators and site owners who monitor visitor analytics, placing administrative users at risk when reviewing logged data.
RemediationAI
Immediately update Visitor Details plugin to a patched version newer than 1.0.1 if available through the WordPress plugin repository. Check the official plugin page at wordpress.org/plugins/visitors-details for update availability, though no specific patched version number has been independently confirmed in available data sources. If no update exists, deactivate and uninstall Visitor Details plugin entirely, then audit the WordPress database (wp_options or custom tables created by the plugin) to remove stored visitor logs containing potential XSS payloads by searching for script tags, JavaScript event handlers, or encoded payloads in visitor metadata fields. As a temporary compensating control if the plugin must remain active, restrict dashboard access to the visitor logs page using role-based access control plugins, limiting exposure to only essential administrators, though this reduces attack surface rather than eliminating the vulnerability. Implement Web Application Firewall (WAF) rules to block common XSS patterns in User-Agent and Referer headers before they reach WordPress, noting this may generate false positives for legitimate browsers with unusual fingerprints. Consider alternative visitor tracking solutions with active security maintenance such as Jetpack Stats, MonsterInsights, or server-level analytics tools like Matomo that separate tracking from admin interfaces. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/visitors-details/vulnerability/wordpress-visitor-details-plugin-1-0-1-cross-site-scripting-xss-vulnerability for vendor communication status and patch timeline.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today