CVE-2025-12452

The Visit Counter plugin for WordPress, version 1.0, is vulnerable to Cross-Site Request Forgery (CSRF). The root cause is missing or incorrect nonce validation on the widgets.php page, which fails to verify the origin of requests [1]. This allows an attacker to craft a malicious request that, if triggered by an authenticated administrator, can modify plugin settings without authorization.

To exploit this vulnerability, an unauthenticated attacker must trick a site administrator into performing an action such as clicking on a crafted link. No other authentication or network access is required beyond the ability to deliver the forged request to the administrator [1]. The attack surface is the administrative interface of the plugin, specifically the settings page.

Successful exploitation enables the attacker to update plugin settings and inject malicious web scripts. This could lead to stored cross-site scripting (XSS) attacks, potentially compromising the site's integrity and affecting visitors [1]. The injected scripts could be used to steal session cookies, redirect users, or deface the site.

The Visit Counter plugin has been closed as of October 31, 2025, due to this security issue and is no longer available for download [1]. Users who have the plugin installed should immediately remove it and consider alternative solutions. No patch is available, and the plugin is effectively end-of-life.