CVE-2025-62948

Vulnerability

Overview The Date counter plugin for WordPress, versions up to and including 2.0.3, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw]. This means that input provided by an authenticated user with sufficient privileges is not properly sanitized before being stored and later displayed to other users.

Exploitation

Details To exploit this vulnerability, an attacker must have a role that allows them to submit or modify content that the plugin processes (e.g., a contributor or higher). The attacker injects a malicious script into a field that the plugin stores. When a privileged user (such as an administrator) later views the affected page, the injected script executes in their browser. This requires user interaction from the victim, such as clicking a link or visiting a crafted page [1].

ImpactSuccessful exploitation allows the attacker to inject arbitrary HTML and JavaScript into the victim's browser session. This can be used to perform actions like redirecting visitors to malicious sites, displaying unwanted advertisements, stealing session cookies, or defacing the website. The vulnerability is considered medium severity (CVSS 6.5) and is known to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

MitigationThe vendor has not released a patched version as of the publication date. Users are strongly advised to update the plugin immediately if a fix becomes available. If updating is not possible, disable or remove the plugin until a secure version is released. Hosting providers or web developers can assist with temporary workarounds, such as applying a web application firewall rule to block malicious input [1].