CVE-2025-49996

The WP Visitor Statistics (Real Time Traffic) plugin for WordPress versions from n/a through 8.4 contains a missing authorization vulnerability. The plugin fails to properly enforce access control lists (ACLs) on certain functions, meaning that permissions are not checked before allowing access to functionality that should be restricted [1].

This issue can be exploited by any unauthenticated user with network access to the WordPress site. No special privileges or authentication are required to trigger the vulnerability. The attack surface is broad, as any visitor to the site could potentially access the vulnerable endpoints [1].

An attacker can leverage this broken access control to execute functionality intended only for higher-privileged users, such as viewing sensitive visitor statistics or performing administrative actions. While the CVSS score is 5.3 (Medium), the vulnerability is known to be targeted in mass-exploit campaigns against WordPress sites [1].

The vendor has released version 8.5 of the plugin to fix this issue. Users are strongly advised to update immediately or enable automatic updates via Patchstack. If updating is not possible, contact your hosting provider for assistance [1].