{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9116", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-08-18T13:56:12.969Z", "datePublished": "2025-12-13T06:00:08.052Z", "dateUpdated": "2026-04-02T12:39:56.139Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:56.139Z"}, "title": "WPS Visitor Counter Plugin <= 1.4.8 - Reflected XSS via $_SERVER['REQUEST_URI']", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "WPS Visitor Counter", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.4.8"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers."}], "references": [{"url": "https://wpscan.com/vulnerability/fe2eb926-96e8-419e-bf41-5531546e6590/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Bob Matyas", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-13T22:55:13.457797Z", "id": "CVE-2025-9116", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-13T22:55:27.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-9116", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-13T22:55:13.457797Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-13T22:55:07.232Z"}}], "cna": {"title": "WPS Visitor Counter Plugin <= 1.4.8 - Reflected XSS via $_SERVER['REQUEST_URI']", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bob Matyas"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "WPS Visitor Counter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.8"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/fe2eb926-96e8-419e-bf41-5531546e6590/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-79 Cross-Site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:56.139Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9116", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:56.139Z", "dateReserved": "2025-08-18T13:56:12.969Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-12-13T06:00:08.052Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers."}], "id": "CVE-2025-9116", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-13T16:16:56.747", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/fe2eb926-96e8-419e-bf41-5531546e6590/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:33:14.425834+00:00", "value": {"mitigation_remediation": ["Update the WPS Visitor Counter plugin to a version newer than 1.4.8 once it becomes available, as the fix removes the unsanitized request\u2011URI output.", "If an immediate upgrade cannot be performed, temporarily deactivate or completely uninstall the plugin to eliminate the reflection vector.", "Apply a Content Security Policy that forbids inline scripts or enforce at least one of the following: disallow scripts with \"unsafe-inline\" or add a nonce; or use a WordPress security plugin to sanitize URL parameters before rendering."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin WPS Visitor Counter, any installation of any version up to and including 1.4.8. Websites that have installed these versions are potentially vulnerable, independent of the host or domain. No other vendors or products were listed in the CNA data.", "description_and_impact": "The WPS Visitor Counter WordPress plugin up to version 1.4.8 fails to escape the $_SERVER['REQUEST_URI'] variable before it is included in an HTML attribute. This flaw allows an attacker to inject arbitrary JavaScript that is reflected back to the victim when the URL is visited. The root cause is improper input validation, a common cause for XSS vulnerabilities (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 5.8 classifies the vulnerability as moderate severity. The EPSS score of less than 1 percent indicates a very low probability that the flaw is being actively exploited in the wild. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to create a malicious URL that includes unescaped characters in the request URI, publish or otherwise distribute that link, and convince a victim to click it. The exploitation is limited to the victim\u2019s browser session and does not modify server state or affect other users."}}}}, "created": "2025-12-14T21:14:36.493951+00:00", "updated": "2026-04-28T18:45:15.970366+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-79"]}