{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67983", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:33.670Z", "datePublished": "2025-12-16T08:12:58.563Z", "dateUpdated": "2026-04-28T19:31:39.107Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-stats-manager", "product": "WP Visitor Statistics (Real Time Traffic)", "vendor": "osama.esh", "versions": [{"changes": [{"at": "8.4", "status": "unaffected"}], "lessThanOrEqual": "8.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:15.069Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.<p>This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.272Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-stats-manager/vulnerability/wordpress-wp-visitor-statistics-real-time-traffic-plugin-8-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress WP Visitor Statistics (Real Time Traffic) plugin <= 8.3 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T20:38:33.911284Z", "id": "CVE-2025-67983", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:31:39.107Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T20:38:33.911284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T20:38:17.750Z"}}], "cna": {"title": "WordPress WP Visitor Statistics (Real Time Traffic) plugin <= 8.3 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "affected": [{"vendor": "osama.esh", "product": "WP Visitor Statistics (Real Time Traffic)", "versions": [{"status": "affected", "changes": [{"at": "8.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 8.3"}], "packageName": "wp-stats-manager", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2025-12-15T22:02:57.330Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-stats-manager/vulnerability/wordpress-wp-visitor-statistics-real-time-traffic-plugin-8-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.<p>This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-01-20T14:28:27.283Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67983", "state": "PUBLISHED", "dateUpdated": "2026-01-30T17:41:32.495Z", "dateReserved": "2025-12-15T10:00:33.670Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:12:58.563Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3."}], "id": "CVE-2025-67983", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-16T09:16:00.237", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-stats-manager/vulnerability/wordpress-wp-visitor-statistics-real-time-traffic-plugin-8-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:32:41.332375+00:00", "value": {"mitigation_remediation": ["Update the WP Visitor Statistics (Real Time Traffic) plugin to the latest version (8.4 or newer).", "If an update is not immediately possible, remove or deactivate the plugin to eliminate the attack surface.", "Deploy a web application firewall rule or security plugin to block or sanitize suspicious input patterns that target the plugin\u2019s vulnerable parameters."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The flaw affects WordPress sites that use the WP Visitor Statistics (Real Time Traffic) plugin version 8.3 or earlier, released by osama.esh. All installations running any version from the earliest release up to and including 8.3 are potentially vulnerable; newer releases are not impacted.", "description_and_impact": "This vulnerability is an improperly neutralized user input in the WP Visitor Statistics (Real Time Traffic) plugin that allows a DOM\u2011based Cross\u2011Site Scripting (XSS) attack. Because the plugin does not encode or filter certain values before inserting them into the page, an attacker can inject malicious scripts that execute in the context of the victim\u2019s browser when the crafted input is processed. The vulnerability description does not specify additional impacts beyond script execution in the browser but discusses the risk inherent in DOM\u2011based XSS.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply crafted input that the plugin processes and reflects in the browser without sanitization; this can typically be achieved via a specially crafted URL or form submission. Because the vector is client\u2011side, any user visiting the affected page will have the injected script executed in their browser."}}}}, "created": "2025-12-16T20:45:18.950998+00:00", "updated": "2026-04-28T18:45:15.968941+00:00", "vendors": ["osama.esh", "osama.esh$PRODUCT$wp_visitor_statistics_(real_time_traffic)", "wordpress", "wordpress$PRODUCT$wordpress"]}