CVE-2021-25086: 
WordPress vulnerability analysis and mitigation

The Advanced Page Visit Counter WordPress plugin before version 6.1.2 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-25086. The vulnerability was discovered by Krzysztof Zając and publicly disclosed on April 5, 2022. This security issue affects the plugin's admin dashboard functionality, where input is not properly sanitized and escaped before being displayed (WPScan Advisory).

The vulnerability is classified as an Unauthenticated Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while some sources rate it higher at 8.8 (HIGH) (NVD, WPScan Advisory).

The vulnerability allows unauthenticated attackers to perform Cross-Site Scripting attacks against administrators who view affected pages in the admin dashboard. When successfully exploited, it could lead to the execution of malicious JavaScript code in the context of the administrator's browser session (WPScan Advisory).

The vulnerability has been fixed in version 6.1.2 of the Advanced Page Visit Counter plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan Advisory).