Medium severity5.8NVD Advisory· Published Dec 13, 2025· Updated Apr 15, 2026
CVE-2025-9116
CVE-2025-9116
Description
The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.4.8+ 1 more
- (no CPE)range: <=1.4.8
- (no CPE)range: <=1.4.8
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.