4stats <= 2.0.9 – Cross-Site Request Forgery to Stored Cross-Site Scripting | CVE 2025-3869 | Plugin Vulnerabilities

Description

The 4stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the stats/stats.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/453b246f-7e39-4adb-9506-77d96146ab50

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

johska

Verified

No

WPVDB ID

369dd14b-da84-41be-bcfe-2f188b88168a

Timeline

Publicly Published

2025-05-23 (about 11 months ago)

Added

2025-05-23 (about 11 months ago)

Last Updated

2025-05-24 (about 11 months ago)

Other

Published

Title

Published

2024-03-25

Title

VK All in One Expansion Unit < 9.97.0.0 - Contributor+ Stored XSS

Published

2025-01-07

Title

Content Blocks Builder < 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-19

Title

Ultimate Classified Listings <= 1.7 - Subscriber+ Stored XSS

Published

2025-05-16

Title

Dot html,php,xml etc pages <= 1.0 - Reflected Cross-Site Scripting

Published

2022-05-17

Title

Opal Hotel Room Booking <= 1.2.7 - Contributor+ Stored Cross-Site Scripting