Login Sign Up

CVE-2025-9116

5.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts via the REQUEST_URI parameter in the WPS Visitor Counter WordPress plugin. When victims using old web browsers visit a specially crafted URL, the script executes in their browser. WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:
  • WPS Visitor Counter WordPress Plugin
Versions: Through 1.4.8
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users with old web browsers; modern browsers have built-in XSS protections.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users in old browsers.

🟠

Likely Case

Limited impact due to requirement of old browsers; potential for session hijacking or credential theft in specific environments.

🟢

If Mitigated

Minimal impact with modern browsers that have XSS protections enabled by default.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking malicious link) and old browsers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.9 or later

Vendor Advisory: https://wpscan.com/vulnerability/fe2eb926-96e8-419e-bf41-5531546e6590/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WPS Visitor Counter' and update to version 1.4.9 or later. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wps-visitor-counter

Web Application Firewall Rule

all

Block malicious REQUEST_URI patterns containing script tags

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Ensure all users use modern browsers with XSS protection enabled

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → WPS Visitor Counter version. If version is 1.4.8 or earlier, you are vulnerable.

Check Version:

wp plugin get wps-visitor-counter --field=version

Verify Fix Applied:

After updating, verify plugin version shows 1.4.9 or later in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • Unusual long URLs containing script tags in access logs
  • Multiple 404 errors with script payloads in REQUEST_URI

Network Indicators:

  • HTTP requests with script tags in URL parameters
  • Suspicious redirects from your WordPress site

SIEM Query:

source="web_access_logs" AND (url="*<script>*" OR url="*javascript:*") AND uri_path="*/wp-content/plugins/wps-visitor-counter/*"

📊 Metadata

CVE ID: CVE-2025-9116
CVSS v3 Score: 5.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score: 0.04% exploit probability (11.7th percentile)
Published: December 13, 2025
Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON