WP Visitor Statistics CVE-2025-49400
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) allows Stored XSS. This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 8.2.
AnalysisAI
Stored cross-site scripting in WP Visitor Statistics (Real Time Traffic) plugin versions ≤8.2 allows remote unauthenticated attackers to inject malicious scripts into the WordPress database, leading to credential theft, session hijacking, or administrative account compromise. Reported by Patchstack's security team with EPSS exploitation probability of only 0.03% (8th percentile), indicating extremely low observed exploitation likelihood despite the critical CVSS 9.8 rating. No CISA KEV listing or public POC identified at time of analysis.
Technical ContextAI
This vulnerability stems from improper input validation and output encoding (CWE-79) in the WP Visitor Statistics (Real Time Traffic) WordPress plugin. The plugin fails to sanitize user-supplied data before storing it in the WordPress database and rendering it in administrative or public-facing pages. Stored XSS (also called persistent XSS) is particularly dangerous because the malicious payload remains in the database and executes whenever the compromised data is displayed, affecting multiple users over time rather than requiring per-victim social engineering. The vulnerability exists in versions up to and including 8.2, affecting WordPress installations with this plugin active.
Affected ProductsAI
WordPress sites running WP Visitor Statistics (Real Time Traffic) plugin by osama.esh, versions 8.2 and earlier. The vulnerability affects all installations of this plugin within the specified version range. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/wp-stats-manager/vulnerability/wordpress-wp-visitor-statistics-real-time-traffic-plugin-8-2-cross-site-scripting-xss-vulnerability. Note that the second reference URL appears to reference an unrelated plugin (PressApps Knowledge Base) and may be a data correlation error in the NVD record.
RemediationAI
Upgrade WP Visitor Statistics (Real Time Traffic) plugin to version 8.3 or later if available, or remove the plugin entirely if not business-critical. Check the WordPress.org plugin repository or contact the developer osama.esh for the patched release. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Restrict WordPress administrative dashboard access to trusted IP addresses via .htaccess or firewall rules (limits operational flexibility for remote administrators). (2) Implement Content Security Policy headers to block inline script execution (may break legitimate plugin functionality that relies on inline JavaScript). (3) Disable the plugin temporarily and use alternative visitor statistics tools like Jetpack Stats or Google Analytics (loses real-time traffic visibility within WordPress). (4) Review stored visitor data in the plugin's database tables for suspicious HTML/JavaScript content and sanitize manually (labor-intensive and requires database expertise). Advisory details: https://patchstack.com/database/wordpress/plugin/wp-stats-manager/vulnerability/wordpress-wp-visitor-statistics-real-time-traffic-plugin-8-2-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today