प्लेटफ़ॉर्म
wordpress
घटक
wp-stats-manager
में ठीक किया गया
8.2.1
CVE-2025-49400 describes a Stored Cross-Site Scripting (XSS) vulnerability within the WP Visitor Statistics (Real Time Traffic) plugin for WordPress. This vulnerability allows attackers to inject malicious scripts that are then stored and executed when other users visit affected pages. The vulnerability impacts versions of the plugin prior to 8.2.1 and has a CVSS score of 9.8 (CRITICAL). A patch has been released in version 8.2.1.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into the plugin's data storage, which would then be executed in the browsers of any user visiting a page displaying data from the plugin. This could lead to various malicious actions, including session hijacking, redirection to phishing sites, defacement of the website, and theft of sensitive user data, such as cookies and login credentials. The attacker could potentially gain complete control over the user's browsing session, impersonate them, and access restricted areas of the website. Given the plugin's function of tracking visitor statistics, a large number of users could be exposed to this risk.
CVE-2025-49400 was publicly disclosed on 2025-08-20. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The severity is considered high due to the CRITICAL CVSS score and the potential for widespread impact on WordPress sites using the affected plugin.
WordPress websites utilizing the WP Visitor Statistics (Real Time Traffic) plugin are at risk. Sites with high traffic volumes or those that collect sensitive user data are particularly vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if updates are not applied promptly.
• wordpress / composer / npm:
grep -r "osama.esh/wp-visitor-statistics" /var/www/html/wp-content/plugins/
wp plugin list | grep "WP Visitor Statistics"• generic web:
curl -I https://your-wordpress-site.com/ | grep Content-Security-Policydisclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-49400 is to immediately upgrade the WP Visitor Statistics (Real Time Traffic) plugin to version 8.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent further exploitation. While a direct WAF rule is difficult to implement due to the nature of stored XSS, implementing strict Content Security Policy (CSP) headers can help mitigate the impact by restricting the sources from which scripts can be executed. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
XSS भेद्यता को कम करने के लिए WP Visitor Statistics (रियल टाइम ट्रैफिक) प्लगइन को नवीनतम उपलब्ध संस्करण में अपडेट करें। WordPress रिपॉजिटरी या डेवलपर की वेबसाइट पर अपडेट की जांच करें। भविष्य के XSS हमलों को रोकने के लिए अतिरिक्त सुरक्षा उपाय लागू करें, जैसे उपयोगकर्ता इनपुट का सत्यापन और सैनिटाइजेशन।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-49400 is a CRITICAL Stored XSS vulnerability in the WP Visitor Statistics plugin, allowing attackers to inject malicious scripts.
You are affected if you are using WP Visitor Statistics plugin versions prior to 8.2.1.
Upgrade the plugin to version 8.2.1 or later. Temporarily disable the plugin if upgrading is not immediately possible.
As of 2025-08-20, there are no known public exploits or active campaigns targeting this vulnerability.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।