vulnerability
WordPress Plugin: wp-stats-manager: CVE-2021-25042: Missing Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:M/Au:S/C:N/I:P/A:N) | Jan 31, 2022 | May 15, 2025 | May 5, 2026 |
Severity
3
CVSS
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Published
Jan 31, 2022
Added
May 15, 2025
Modified
May 5, 2026
Description
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin
Solution
wp-stats-manager-plugin-cve-2021-25042
References
- https://www.cve.org/CVERecord?id=CVE-2021-25042
- https://www.wordfence.com/threat-intel/vulnerabilities/id/693fbac2-46b8-4771-99b5-6cd97096286e?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-11954
- CVE-2021-25042
- https://attackerkb.com/topics/CVE-2021-25042
- CWE-862
- EUVD-EUVD-2021-11954
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.