CVE-2025-23565

The Wibstats plugin for WordPress (versions up to and including 0.5.5) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a response, which is then executed in the context of the victim's browser.

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form [1]. The attacker does not need authentication but must trick the target user into interacting with the crafted request. This makes the attack suitable for mass campaigns targeting multiple WordPress sites.

Successful exploitation enables the attacker to inject malicious scripts that can redirect visitors, display advertisements, steal session cookies, or perform other actions within the affected site's security context [1]. The CVSS v3 score of 7.1 (High) reflects the potential for significant impact with relatively low attack complexity.

As of the publication date, no official patch has been released for the plugin. The vendor recommends updating the plugin immediately; if an update is not available, applying a virtual patch or mitigation rule (such as those provided by Patchstack) can block exploitation attempts until a fix is deployed [1]. Users unable to update should consult their hosting provider or web developer for assistance.