CVE-2025-67983

The WP Visitor Statistics (Real Time Traffic) plugin for WordPress versions up to 8.3 are vulnerable to a DOM-based Cross-Site Scripting (XSS) attack. The vulnerability stems from improper neutralization of user input during web page generation, allowing attacker-controlled data to be executed as JavaScript in the victim's browser. [1]

Attack exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. An attacker must first inject malicious script into a page, which then executes when a privileged user (e.g., admin) views the affected content. This is a DOM-based XSS, meaning the payload is executed on the client side without persistent storage on the server. [1]

Successful exploitation could allow an attacker to perform actions such as redirecting visitors, displaying advertisements, or stealing session cookies. The CVSS score is 6.5 (Medium), and the vulnerability has been used in mass-exploit campaigns targeting thousands of sites. [1]

The plugin maintainer has addressed this issue in version 8.4. Users are strongly advised to update to the latest version. If auto-updates are enabled via Patchstack, they can automatically deploy the fix. There is no mention of a workaround for older versions. [1]