CVE-2025-53566

Vulnerability

Overview

The WP Visitor Statistics (Real Time Traffic) plugin for WordPress, up to version 7.8, contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker with appropriate privileges to inject arbitrary web scripts or HTML into the plugin's pages, which are then stored and executed when other users access the affected functionality [1].

Attack

Vector and Requirements

Exploitation requires that a privileged user (such as an administrator) performs an action like clicking a malicious link or visiting a crafted page [1]. The attack is initiated by an authenticated attacker with the necessary role, and user interaction is required for the attack to succeed [1]. The CVSS v3 base score is 6.5 (Medium), reflecting the need for privileges and user interaction despite the potential for impactful script injection [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into the website [1]. These injected scripts execute when other users (including site visitors) access the compromised page, potentially leading to phishing, data theft, or further compromise of the site [1].

Mitigation

The vulnerability is fixed in version 7.9 of the plugin [1]. Users are strongly advised to update immediately, especially as this type of vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1]. If updating is not possible, users should consult their hosting provider or a web developer for assistance [1]. Patchstack users can enable auto-updates for vulnerable plugins to stay protected [1].