CVE-2025-49400 CRITICAL

CVE-2025-49400: WordPress WP Visitor Statistics (Real Time Traffic) Plugin <= 8.2 - Cross Site Scripting (XSS) Vulnerability

Vendor Osama.esh
Product WP Visitor Statistics (Real Time Traffic)
Weakness CWE-79 · XSS
Published August 20, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) allows Stored XSS. This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 8.2.

Key dates

02Disclosure timeline

August 20, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-48244 WordPress Exclusive Addons Elementor plugin <= 2.7.9 - Cross Site Scripting (XSS) Vulnerability CVE-2024-5125 XSS and Open Redirect via SVG File Upload in parisneo/lollms-webui CVE-2024-22397 CVE-2025-8149 aThemes Addons for Elementor Lite <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget CVE-2024-11195 Email Subscription Popup <= 1.2.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via print_email_subscribe_form Shortcode