CVE-2026-0741
Stored XSS in Electric Studio Download Counter Plugin Settings
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | electric_studio_download_counter | to 2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Electric Studio Download Counter WordPress plugin (up to version 2.4). It occurs because the plugin does not properly sanitize or escape input in its settings, allowing an authenticated user with Administrator-level access or higher to inject malicious scripts. These scripts are then stored and executed whenever a user accesses the affected page, potentially compromising the site or user data.
How can this vulnerability impact me? :
An attacker with Administrator-level access can exploit this vulnerability to inject arbitrary web scripts into the plugin's settings pages. These scripts execute in the context of users visiting the affected pages, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of users. This can compromise site security and user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the plugin settings in the Electric Studio Download Counter WordPress plugin (up to version 2.4). Detection can focus on identifying injected scripts in plugin settings or pages where the plugin outputs data. Since the plugin stores download counts and filenames in a custom database table (`es_download_counter`), you can inspect this table for suspicious or unexpected script tags or payloads. Additionally, monitoring HTTP requests and responses for injected scripts in pages served by the plugin may help. Specific commands to detect this could include querying the WordPress database for suspicious entries, for example using MySQL commands: `SELECT * FROM es_download_counter WHERE download_name LIKE '%<script>%' OR download_name LIKE '%javascript:%';` or similar patterns. Also, reviewing plugin settings in the WordPress admin interface for unexpected script content is recommended. Network monitoring tools can be used to inspect AJAX requests to the plugin's endpoints (`esdc_addtocount` and `esdc_search_dates`) for anomalous payloads. However, no explicit detection commands are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Electric Studio Download Counter plugin to a version that fixes the vulnerability if available (versions above 2.4 are implied to be safe). 2) Restricting Administrator-level access to trusted users only, since exploitation requires authenticated users with Administrator privileges. 3) Reviewing and sanitizing plugin settings to remove any injected scripts. 4) Implementing Web Application Firewall (WAF) rules to block malicious payloads targeting the plugin's AJAX endpoints. 5) Monitoring and blocking suspicious IP addresses if applicable. Since the vulnerability arises from insufficient input sanitization and output escaping, applying patches or updates from the plugin developer is the most effective mitigation. If no patch is available, disabling or uninstalling the plugin until fixed is recommended. [1, 3]