CVE-2025-49859
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress WP Views Counter plugin up to version 2.0.3. It allows attackers with contributor-level privileges to inject malicious scripts, such as redirects or advertisements, into web pages generated by the plugin. These scripts execute when visitors access the affected site, potentially compromising site integrity and user experience. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized execution of malicious scripts on your website, which may result in unwanted redirects, display of malicious advertisements, or other harmful HTML payloads. This can compromise the integrity of your site and negatively affect the experience of your visitors. Although the severity is rated as low (CVSS 6.5), timely updates to version 2.0.4 or later are recommended to mitigate the risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your WordPress site is running WP Views Counter plugin version 2.0.3 or earlier, which is vulnerable. You can verify the plugin version via the WordPress admin dashboard or by inspecting the plugin files. Additionally, monitoring for unusual script injections or unexpected HTML payloads in web pages served by the site may indicate exploitation. While no specific commands are provided, scanning for plugin versions and inspecting web responses for injected scripts are recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Views Counter plugin to version 2.0.4 or later, where the vulnerability is fixed. Alternatively, applying Patchstack's virtual patching (vPatching) can provide rapid protection without performance loss before official patches are applied. It is also recommended to perform server-side malware scanning and consider professional incident response if compromise is suspected. [1]