WordPress Yandex Metrica Counter Plugin <= 1.4.3 is vulnerable to Cross Site Scripting (XSS)
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Stored XSS in Yandex Metrica Counter plugin <=1.4.3 allows admin-level attackers to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Yandex Metrica Counter plugin <=1.4.3 allows admin-level attackers to inject arbitrary JavaScript.
Vulnerability
Stored Cross-Site Scripting (XSS) vulnerability exists in the Yandex Metrica Counter plugin for WordPress, versions ≤ 1.4.3. The flaw allows authenticated users with administrator-level permissions to inject arbitrary web scripts via the plugin's settings or input fields, leading to stored XSS [1].
Exploitation
An attacker with administrator-level access (admin+) can inject malicious JavaScript code into plugin configuration. When other administrators view the affected pages (e.g., plugin settings or dashboard), the injected script executes in their browser. No additional user interaction is required beyond normal page load.
Impact
Successful exploitation results in arbitrary JavaScript execution in the context of the WordPress admin area. This could lead to session hijacking, defacement, or further compromise of the site by enabling actions such as forcing password changes or creating rogue admin accounts.
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of July 27, 2023 due to a security issue [1]. No patched version is available. Users who have this plugin installed should immediately uninstall it and seek alternative solutions.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.4.3
- Alexander Semikashev/Yandex Metrica Counterv5Range: n/a
Patches
0counter-yandex-metricaThis plugin has been removed from the WordPress.org directory on 2023-07-27 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.