CVE-2025-7652

The Easy Plugin Stats plugin for WordPress, up to version 2.0.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in its 'eps' shortcode. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing maliciously crafted attributes can be stored and later executed in the context of a victim's browser [1] victim's browser.

Exploitation

An attacker must have at least contributor-level access to the WordPress site. The vulnerability is triggered by injecting a crafted payload into the shortcode attributes. When the shortcode is rendered on a page, the unsanitized script executes for any user viewing that page. No additional authentication is required beyond the contributor role.

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts (JavaScript, HTML) into pages. This can lead to session hijacking, defacement, or redirection to redirect users to malicious sites. The plugin has been closed permanently as of August 15, 2025, and is no longer available for download [1].

Mitigation

Users should immediately remove the plugin from their WordPress installations. No patched version is available, and the vendor has permanently closed the plugin. Sites that continue to use the plugin remain vulnerable to this stored XSS attack.