CVE-2025-53193

The Burst Statistics plugin for WordPress, versions 2.0.6 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. The vulnerability exists because the plugin does not properly validate or include nonce tokens in sensitive operations, allowing an attacker to forge requests on behalf of an authenticated administrator or other privileged user [1].

Exploitation

To exploit this vulnerability, an attacker must trick a logged-in user with sufficient privileges (such as a site administrator) into performing an action—such as clicking a malicious link or submitting a crafted form [1]. No direct authentication from the attacker is required, but the victim must be authenticated to the WordPress site where the plugin is active [1]. The attack does not require any special network position and can be delivered via email, social engineering, or by embedding a malicious payload on another site [1].

Impact

Successful exploitation could allow an attacker to force the victim to execute unintended actions within the Burst Statistics plugin, such as changing settings, deleting data, or performing other administrative operations [1]. The CVSS score of 4.3 (Medium) reflects the low likelihood of exploitation due to required user interaction, but the potential for abuse in mass-exploit campaigns is noted [1].

Mitigation

The vendor has released version 2.0.8, which patches the CSRF vulnerability [1]. Users are strongly advised to update to the latest version. For those unable to update immediately, enabling auto-updates for plugins via Patchstack or contacting their hosting provider is recommended [1].