CVE-2025-2164: 
WordPress vulnerability analysis and mitigation

The pixelstats plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-2164) that affects all versions up to and including 0.8.2. The vulnerability was discovered and disclosed on March 15, 2025, and affects the plugin's handling of 'post_id' and 'sortby' parameters (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the pixelstats WordPress plugin's handling of the 'post_id' and 'sortby' parameters. The issue has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD, Wordfence).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The vulnerability can potentially lead to the compromise of user sessions and data theft (NVD).

As of March 13, 2025, the plugin has been temporarily closed and is not available for download pending a full security review (WordPress). Users are advised to disable and remove the plugin until a patched version becomes available.