CVE-2025-2816: 
WordPress vulnerability analysis and mitigation

The Page View Count plugin for WordPress contains a vulnerability (CVE-2025-2816) discovered on April 30, 2025, affecting versions 2.8.0 to 2.8.4. The vulnerability stems from a missing capability check in the yellowmessagedontshow() function, which allows authenticated users with Subscriber-level access or higher to perform unauthorized data modifications (NVD CVE, Wiz Report).

The vulnerability is classified with a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The issue is categorized as CWE-862 (Missing Authorization). The vulnerability exists in the yellowmessagedontshow() function where proper capability checks were not implemented, allowing users with minimal privileges to modify option values (NVD CVE).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to update option values on the WordPress site. This can be exploited to create errors that would deny service to legitimate users or manipulate certain settings like registration options. The impact primarily affects the site's availability and integrity, with no direct impact on confidentiality (Wiz Report).

The vulnerability has been patched in version 2.8.5 of the Page View Count plugin. The update includes security hardening measures such as rejecting requests if the provided key doesn't match allowed keys, restricting actions to administrators with manageoptions capability, and limiting script enqueuing to administrators ([WordPress Plugin](https://plugins.trac.wordpress.org/changeset?sfpemail=&sfphmail=&reponame=&old=3282975%40page-views-count&new=3282975%40page-views-count&sfpemail=&sfph_mail=)).