WordPress Plugin Vulnerabilities

Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it

Proof of Concept

Affects Plugins

Plugin icon
advanced-page-visit-counter
Fixed in 6.1.2

References

CVE
CVE-2021-25086

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
2cf9e517-d882-4af2-bd12-e700b75e7a11

Timeline

Publicly Published
2022-04-05 (about 3 years ago)
Added
2022-04-05 (about 3 years ago)
Last Updated
2022-06-13 (about 3 years ago)

Other

Published
Title
Published
2025-02-02
Title
RJ Quickcharts <= 0.6.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2024-05-29
Title
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) < 2.7.20 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Published
2025-12-04
Title
Thai Lottery Widget <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2023-05-12
Title
itemprop WP for SERP/SEO Rich snippets <= 3.5.201706131 - Admin+ Stored XSS
Published
2025-12-26
Title
AM Events <= 1.13.1 - Authenticated (Administrator+) Stored Cross-Site Scripting