CVE-2025-63034

Vulnerability

Overview

The Page View Count plugin for WordPress plugin (page-views-count) versions up to and including 2.9.0 contain a Missing Authorization vulnerability [1]. This flaw allows an attacker to exploit incorrectly configured access control security levels, effectively bypassing intended permission checks [1].

Exploitation

Details

The vulnerability is classified as a Settings Change issue, meaning an unauthenticated remote attacker can modify the plugin's configuration without any prior authentication or elevated privileges or user interaction. The attack surface is broad because the plugin is widely used, and the exploit does not require a privileged account or complex network position [1].

Impact

Successful exploitation enables an attacker to alter plugin settings arbitrarily alter the plugin's settings, potentially redirecting page view tracking or potentially injecting malicious content. This type of vulnerability is frequently leveraged in mass-exploit campaigns targeting thousands of WordPress sites simultaneously, regardless of site size or popularity [1].

Mitigation

The vendor has notifies that immediate action is required: update the plugin to a patched version beyond 2.9.0. If an update is not possible, users should contact their hosting provider or web developer for assistance. No workaround is provided beyond updating [1].