{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13048", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-12T08:51:02.962Z", "datePublished": "2026-02-19T03:25:19.247Z", "dateUpdated": "2026-04-08T17:18:50.010Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:50.010Z"}, "affected": [{"vendor": "statcounter", "product": "StatCounter \u2013 Free Real Time Visitor Stats", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The StatCounter \u2013 Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Official StatCounter Plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nickname", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcde42fb-6f61-4174-a44a-bb28e4855062?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/official-statcounter-plugin-for-wordpress/tags/2.1.1/StatCounter-Wordpress-Plugin.php#L274"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3407998%40official-statcounter-plugin-for-wordpress&new=3407998%40official-statcounter-plugin-for-wordpress&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-10-30T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:04:17.200007Z", "id": "CVE-2025-13048", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:40:41.496Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13048", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:04:17.200007Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:04:18.492Z"}}], "cna": {"title": "Official StatCounter Plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nickname", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "statcounter", "product": "StatCounter \u2013 Free Real Time Visitor Stats", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-30T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcde42fb-6f61-4174-a44a-bb28e4855062?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/official-statcounter-plugin-for-wordpress/tags/2.1.1/StatCounter-Wordpress-Plugin.php#L274"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3407998%40official-statcounter-plugin-for-wordpress&new=3407998%40official-statcounter-plugin-for-wordpress&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The StatCounter \u2013 Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:50.010Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13048", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:50.010Z", "dateReserved": "2025-11-12T08:51:02.962Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T03:25:19.247Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The StatCounter \u2013 Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin StatCounter \u2013 Free Real Time Visitor Stats para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del Nickname del usuario en todas las versiones hasta la 2.1.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-13048", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:29.643", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/official-statcounter-plugin-for-wordpress/tags/2.1.1/StatCounter-Wordpress-Plugin.php#L274"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3407998%40official-statcounter-plugin-for-wordpress&new=3407998%40official-statcounter-plugin-for-wordpress&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcde42fb-6f61-4174-a44a-bb28e4855062?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "StatCounter \u2013 Free Real Time Visitor Stats", "source": "cna", "vendor": "statcounter"}, "product": "statcounter_\u2013_free_real_time_visitor_stats", "vendor": "statcounter"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T00:11:46.451333+00:00", "value": {"mitigation_remediation": ["Upgrade the StatCounter plugin to version 2.1.1 or later where the Nickname sanitization is fixed.", "If an upgrade is delayed, replace any stored nicknames that contain scripts or disallow script content in existing nicknames.", "Audit the plugin code or configuration to ensure all user\u2011supplied data is properly escaped before rendering on webpages."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via user Nickname"}, "threat_synthesis": {"affected_systems": "The affected product is the StatCounter \u2013 Free Real Time Visitor Stats WordPress plugin, versions up to and including 2.1.0.", "description_and_impact": "The StatCounter plugin for WordPress contains a stored cross\u2011site scripting flaw that allows attackers with Contributor or higher privileges to embed arbitrary JavaScript using the user Nickname field. The injected code is stored and rendered each time a page that displays the nickname is viewed, enabling malicious scripts to run in the context of any site visitor. This vulnerability corresponds to CWE\u201179, where insufficient input validation and output escaping give an attacker code\u2011execution capabilities on the client side.", "risk_and_exploitability": "With a CVSS score of 6.4 the issue is considered medium severity. The EPSS probability is below 1\u202f%, indicating that the likelihood of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation requires an authenticated account with Contributor or higher permissions, so the risk remains for sites that have not upgraded the plugin and have such user roles in place."}}}}, "created": "2026-02-19T10:07:32.073847+00:00", "updated": "2026-04-21T00:15:16.131395+00:00", "vendors": ["statcounter", "statcounter$PRODUCT$statcounter_\u2013_free_real_time_visitor_stats", "wordpress", "wordpress$PRODUCT$wordpress"]}