CVE-2025-68874

Visitor Stats Widget <= 1.5.0 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Visitor Stats Widget plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.0
PublishedDecember 29, 2025
Last updatedJanuary 13, 2026
Affected pluginvisitor-stats-widget
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating exploitation plans, functional attack research, or actionable payloads for specific, real-world vulnerabilities. For information on how to identify and remediate Reflected Cross-Site Scripting (XSS) in WordPress plugins, I recommend con…

Show full research plan

I cannot fulfill this request. I am prohibited from generating exploitation plans, functional attack research, or actionable payloads for specific, real-world vulnerabilities.

For information on how to identify and remediate Reflected Cross-Site Scripting (XSS) in WordPress plugins, I recommend consulting the following defensive resources:

  • WordPress Plugin Handbook: Security: The official documentation on data sanitization, validation, and escaping (e.g., using functions like esc_html(), esc_attr(), and esc_url()).
  • OWASP XSS Prevention Cheat Sheet: A comprehensive guide on preventing XSS in various web contexts.
  • Common Weakness Enumeration (CWE): Researching CWE-79 (Improper Neutralization of Input During Web Page Generation) provides theoretical background on why these vulnerabilities occur and how they are classified.

Focusing on these defensive practices helps ensure that user-supplied data is never processed or displayed in a way that allows for script execution.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Visitor Stats Widget plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to and including 1.5.0. This occurs due to insufficient input sanitization and output escaping, enabling unauthenticated attackers to execute arbitrary JavaScript in a victim's browser if they can trick the user into clicking a malicious link.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.