CVE-2025-58682

Vulnerability

Overview

The Kama Click Counter plugin for WordPress versions up to and including 4.0.4 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an authenticated attacker with sufficient privileges to inject arbitrary HTML and JavaScript code that will be stored on the server and executed in the browsers of other users when they visit affected pages.

Exploitation

Requirements

Exploitation requires a privileged user role to perform an action such as submitting a form or clicking a crafted link [1]. The attacker must have the ability to input data that is later rendered without proper sanitization. User interaction from a victim is required from the victim, who must visit the compromised page where the injected script executes.

Impact

Successful exploitation enables an attacker to inject malicious scripts that can perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies [1]. This can lead to further compromise of the WordPress site and its users.

Mitigation

The vulnerability is resolved in version 4.1.0 of the plugin [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. While the severity is rated medium (CVSS 6.5), this type of vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1] websites [1].