CVE-2025-13048
Stored XSS in StatCounter WordPress Plugin via User Nickname
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| statcounter | official_statcounter_plugin_for_wordpress | to 2.1.0 (inc) |
| statcounter | free_real_time_visitor_stats | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The StatCounter β Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the user's Nickname in all versions up to and including 2.1.0. This vulnerability arises due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. These scripts execute whenever any user accesses the injected page.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into pages viewed by other users. The impact includes potential theft of user credentials, session hijacking, defacement of the website, or execution of unauthorized actions on behalf of users. Since the vulnerability is a Stored Cross-Site Scripting, the malicious code persists on the site and affects all visitors who access the compromised pages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the user's Nickname in the StatCounter WordPress plugin versions up to 2.1.0. Detection involves identifying injected scripts in pages where user nicknames are displayed.
Since the vulnerability is exploited by injecting arbitrary web scripts in pages accessed by users, detection can be done by searching for suspicious script tags or JavaScript code in the database fields related to user nicknames or in the rendered HTML of pages.
- Search the WordPress database for suspicious script tags in the user nickname field, e.g., using SQL commands:
- SELECT ID, user_nicename FROM wp_users WHERE user_nicename LIKE '%<script>%';
- Use command-line tools like curl or wget to fetch pages where user nicknames appear and grep for suspicious script tags:
- curl -s https://yourwordpresssite.com/somepage | grep '<script>'
- Check WordPress plugin version installed to confirm if it is vulnerable (version β€ 2.1.0):
- wp plugin list | grep statcounter
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update the StatCounter plugin to version 2.1.1 or later, where input sanitization and output escaping have been improved to prevent this Stored XSS vulnerability.
Additional immediate steps include:
- Restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with at least Contributor access.
- Manually sanitize or remove suspicious scripts from user nickname fields in the database.
- Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting user nickname inputs.
- Monitor and audit user-generated content for suspicious scripts until the plugin is updated.