CVE-2025-9116
BaseFortify
Publication date: 2025-12-13
Last updated on: 2026-04-02
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpscan | wps_visitor_counter | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WPS Visitor Counter Plugin for WordPress (up to version 1.4.8). It occurs because the plugin does not properly escape the $_SERVER['REQUEST_URI'] parameter before outputting it back into an attribute. This flaw can lead to Reflected Cross-Site Scripting (XSS) attacks, particularly in older web browsers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected URL parameters for reflected Cross-Site Scripting (XSS). For example, you can use curl or a browser to inject a script tag into the URL parameter and observe if it is reflected unescaped in the response. A sample test URL is: https://example.com/wp-admin/options-general.php?page=wps_options_general&cows=2"><script>alert(5)</script>. Using curl, you can run: curl -i "https://example.com/wp-admin/options-general.php?page=wps_options_general&cows=2%22><script>alert(5)</script>" and check if the response contains the injected script unescaped. If the script is reflected and executed in an old browser, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no known fix or patch is currently available for this vulnerability, immediate mitigation steps include restricting access to the affected plugin's pages, using a Web Application Firewall (WAF) to block malicious input patterns targeting the vulnerable parameter, and educating users to avoid using outdated browsers that are more susceptible to this reflected XSS. Additionally, consider disabling or removing the WPS Visitor Counter plugin until a patch is released. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute malicious scripts in the context of the affected website by exploiting the Reflected Cross-Site Scripting flaw. This can lead to theft of user data, session hijacking, or other malicious actions performed on behalf of the user visiting the site, especially when using older browsers.