CVE-2025-49065 Overview
CVE-2025-49065 is a stored cross-site scripting (XSS) vulnerability in the BestiaDurmiente Visit Counter WordPress plugin. The flaw affects all versions of the visit-counter plugin up to and including 1.0. It results from improper neutralization of user-supplied input during web page generation, classified under [CWE-79]. An authenticated or unauthenticated attacker can inject malicious script content that persists in the page output and executes in the browsers of visitors who view the affected page.
Critical Impact
Stored XSS in the Visit Counter plugin allows attackers to inject persistent JavaScript that executes in administrator and visitor browsers, enabling session hijacking, content manipulation, and pivoting into the WordPress admin context.
Affected Products
- BestiaDurmiente Visit Counter WordPress plugin (visit-counter)
- All plugin versions from initial release through 1.0
- WordPress sites running the plugin in any configuration
Discovery Timeline
- 2025-08-14 - CVE-2025-49065 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-49065
Vulnerability Analysis
The Visit Counter plugin fails to sanitize and encode input before rendering it into HTML output. This produces a stored XSS condition where attacker-controlled data is saved server-side and later returned to clients without proper escaping. The vulnerability requires user interaction, such as visiting a page that contains the injected payload. Successful exploitation executes JavaScript under the origin of the WordPress site, granting access to cookies, the Document Object Model (DOM), and authenticated session context.
Because the injected payload is stored, every subsequent visitor to the affected page triggers execution. The scope change in the CVSS vector reflects that injected scripts run in the security context of the WordPress origin, which differs from the vulnerable plugin component itself. The EPSS exploitation probability is 0.047% as of the most recent scoring date.
Root Cause
The root cause is missing output encoding and input sanitization within the plugin's request handling and rendering paths. WordPress provides helper functions such as esc_html(), esc_attr(), wp_kses(), and sanitize_text_field(), but the affected plugin does not apply them consistently to attacker-controllable values before echoing them into HTML responses.
Attack Vector
The attack vector is network-based and requires no privileges. An attacker submits a crafted payload to an input handled by the plugin. The payload is stored and later served to any user who loads a page rendering that data. When an administrator views the page, the script executes with administrator browser context, enabling actions such as creating new admin accounts, exfiltrating nonces, or injecting backdoors through the plugin or theme editor.
For technical specifics, see the Patchstack WordPress Vulnerability Report.
Detection Methods for CVE-2025-49065
Indicators of Compromise
- Unexpected <script>, <svg>, onerror, or onload content stored in plugin-managed database tables or options
- WordPress admin user accounts created without a corresponding audit trail in wp_users
- Outbound HTTP requests from administrator browsers to attacker-controlled domains shortly after viewing pages with the Visit Counter widget
- Modifications to theme or plugin PHP files immediately following an admin session
Detection Strategies
- Scan the WordPress database for HTML and JavaScript artifacts in fields populated by the visit-counter plugin
- Inspect server access logs for POST requests targeting plugin endpoints with payloads containing script tags or event handler attributes
- Deploy a web application firewall (WAF) rule set that flags reflected and stored XSS patterns in plugin parameters
- Use file integrity monitoring on wp-content/plugins/ and wp-content/themes/ to identify tampering that follows admin XSS execution
Monitoring Recommendations
- Enable WordPress audit logging for user creation, role changes, and plugin or theme file edits
- Forward web server, PHP, and audit logs to a centralized SIEM with retention adequate for forensic review
- Alert on anomalous administrator session activity, including unusual source IP addresses or off-hours logins
- Continuously monitor for new browser-initiated requests to unfamiliar domains originating from the admin interface
How to Mitigate CVE-2025-49065
Immediate Actions Required
- Deactivate and remove the Visit Counter (visit-counter) plugin from all WordPress installations until a patched version is confirmed available
- Audit existing plugin data for stored payloads and purge any malicious script content
- Force password resets and invalidate active sessions for all WordPress administrators and editors
- Review recent user account changes, scheduled tasks, and modified plugin or theme files for signs of post-exploitation activity
Patch Information
No vendor patch is listed in the available references at the time of publication. The vulnerability affects all versions up to and including 1.0. Monitor the Patchstack WordPress Vulnerability Report for patch availability and replace the plugin with a maintained alternative if no fix is released.
Workarounds
- Remove the plugin entirely and replace it with a maintained visit counter solution that follows WordPress sanitization standards
- Deploy a WAF rule that blocks requests to plugin endpoints containing HTML tags or JavaScript event handlers
- Apply a strict Content Security Policy (CSP) header that disallows inline scripts and restricts script sources to trusted origins
- Restrict administrative access using IP allow-listing and require multi-factor authentication for all privileged WordPress accounts
# Configuration example: remove the vulnerable plugin via WP-CLI
wp plugin deactivate visit-counter
wp plugin delete visit-counter
# Example CSP header for nginx to limit XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
