CVE-2025-49065: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in BestiaDurmiente Visit Counter WordPress plugin version 1.0 and earlier. The vulnerability was discovered by Nguyen Xuan Chien and publicly disclosed on August 7, 2025. This security issue affects all versions of the Visit Counter plugin up to and including version 1.0, with no official fix currently available (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 score of 7.1 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation). It requires no authentication to exploit, making it particularly concerning (NVD, Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when visitors access the affected site. The impact is particularly severe as it requires no authentication to exploit and could affect all visitors to the compromised website (Patchstack).

As no official fix is available, website administrators are advised to either remove and replace the plugin or implement virtual patching. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).