Plataforma
wordpress
Componente
wp-stats-manager
Corrigido em
8.2.1
CVE-2025-49400 describes a Stored Cross-Site Scripting (XSS) vulnerability within the WP Visitor Statistics (Real Time Traffic) plugin for WordPress. This vulnerability allows attackers to inject malicious scripts that are then stored and executed when other users visit affected pages. The vulnerability impacts versions of the plugin prior to 8.2.1 and has a CVSS score of 9.8 (CRITICAL). A patch has been released in version 8.2.1.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into the plugin's data storage, which would then be executed in the browsers of any user visiting a page displaying data from the plugin. This could lead to various malicious actions, including session hijacking, redirection to phishing sites, defacement of the website, and theft of sensitive user data, such as cookies and login credentials. The attacker could potentially gain complete control over the user's browsing session, impersonate them, and access restricted areas of the website. Given the plugin's function of tracking visitor statistics, a large number of users could be exposed to this risk.
CVE-2025-49400 was publicly disclosed on 2025-08-20. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The severity is considered high due to the CRITICAL CVSS score and the potential for widespread impact on WordPress sites using the affected plugin.
WordPress websites utilizing the WP Visitor Statistics (Real Time Traffic) plugin are at risk. Sites with high traffic volumes or those that collect sensitive user data are particularly vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if updates are not applied promptly.
• wordpress / composer / npm:
grep -r "osama.esh/wp-visitor-statistics" /var/www/html/wp-content/plugins/
wp plugin list | grep "WP Visitor Statistics"• generic web:
curl -I https://your-wordpress-site.com/ | grep Content-Security-Policydisclosure
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-49400 is to immediately upgrade the WP Visitor Statistics (Real Time Traffic) plugin to version 8.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent further exploitation. While a direct WAF rule is difficult to implement due to the nature of stored XSS, implementing strict Content Security Policy (CSP) headers can help mitigate the impact by restricting the sources from which scripts can be executed. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Atualize o plugin WP Visitor Statistics (Real Time Traffic) para a última versão disponível para mitigar a vulnerabilidade de XSS. Verifique as atualizações no repositório do WordPress ou no site do desenvolvedor. Implemente medidas de segurança adicionais, como a validação e o saneamento das entradas do usuário, para prevenir futuros ataques XSS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-49400 is a CRITICAL Stored XSS vulnerability in the WP Visitor Statistics plugin, allowing attackers to inject malicious scripts.
You are affected if you are using WP Visitor Statistics plugin versions prior to 8.2.1.
Upgrade the plugin to version 8.2.1 or later. Temporarily disable the plugin if upgrading is not immediately possible.
As of 2025-08-20, there are no known public exploits or active campaigns targeting this vulnerability.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.