CVE-2025-58867

The Easy Download Media Counter plugin for WordPress versions up to and including 1.2 suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users view the affected page.

Exploitation requires an authenticated user with at least contributor-level privileges to submit malicious input via the plugin's media counter functionality. The vulnerability is triggered when a privileged user (e.g., administrator) visits the page containing the injected payload, such as by clicking a link or viewing the dashboard [1]. This user interaction is necessary for the script to execute.

Successful exploitation enables an attacker to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies. The injected script runs in the context of the victim's browser, potentially leading to further compromise of the WordPress site [1].

As of the publication date, no patch is available for versions 1.2 and earlier. Users are advised to update the plugin immediately if a fix is released, or to contact their hosting provider for assistance. The vulnerability is listed in the Patchstack database and is considered a medium-severity risk (CVSS 6.5) [1].