Plattform
wordpress
Komponente
wp-stats-manager
Behoben in
8.2.1
CVE-2025-49400 describes a Stored Cross-Site Scripting (XSS) vulnerability within the WP Visitor Statistics (Real Time Traffic) plugin for WordPress. This vulnerability allows attackers to inject malicious scripts that are then stored and executed when other users visit affected pages. The vulnerability impacts versions of the plugin prior to 8.2.1 and has a CVSS score of 9.8 (CRITICAL). A patch has been released in version 8.2.1.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into the plugin's data storage, which would then be executed in the browsers of any user visiting a page displaying data from the plugin. This could lead to various malicious actions, including session hijacking, redirection to phishing sites, defacement of the website, and theft of sensitive user data, such as cookies and login credentials. The attacker could potentially gain complete control over the user's browsing session, impersonate them, and access restricted areas of the website. Given the plugin's function of tracking visitor statistics, a large number of users could be exposed to this risk.
CVE-2025-49400 was publicly disclosed on 2025-08-20. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The severity is considered high due to the CRITICAL CVSS score and the potential for widespread impact on WordPress sites using the affected plugin.
WordPress websites utilizing the WP Visitor Statistics (Real Time Traffic) plugin are at risk. Sites with high traffic volumes or those that collect sensitive user data are particularly vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if updates are not applied promptly.
• wordpress / composer / npm:
grep -r "osama.esh/wp-visitor-statistics" /var/www/html/wp-content/plugins/
wp plugin list | grep "WP Visitor Statistics"• generic web:
curl -I https://your-wordpress-site.com/ | grep Content-Security-Policydisclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49400 is to immediately upgrade the WP Visitor Statistics (Real Time Traffic) plugin to version 8.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent further exploitation. While a direct WAF rule is difficult to implement due to the nature of stored XSS, implementing strict Content Security Policy (CSP) headers can help mitigate the impact by restricting the sources from which scripts can be executed. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Actualice el plugin WP Visitor Statistics (Real Time Traffic) a la última versión disponible para mitigar la vulnerabilidad de XSS. Verifique las actualizaciones en el repositorio de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como la validación y el saneamiento de las entradas del usuario, para prevenir futuros ataques XSS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49400 is a CRITICAL Stored XSS vulnerability in the WP Visitor Statistics plugin, allowing attackers to inject malicious scripts.
You are affected if you are using WP Visitor Statistics plugin versions prior to 8.2.1.
Upgrade the plugin to version 8.2.1 or later. Temporarily disable the plugin if upgrading is not immediately possible.
As of 2025-08-20, there are no known public exploits or active campaigns targeting this vulnerability.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.