CVE-2025-8294: 
WordPress vulnerability analysis and mitigation

The Download Counter plugin for WordPress (versions up to 1.3) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2025-8294. The vulnerability was discovered and disclosed on August 4, 2025, affecting the plugin's handling of the 'name' parameter due to insufficient input sanitization and output escaping (NVD).

The vulnerability stems from improper sanitization of the 'name' parameter in the downloadcounterurl_shortcode function. The plugin fails to properly sanitize and escape user input before it is stored and subsequently displayed, allowing for the injection of malicious scripts. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been patched in version 1.4 of the Download Counter plugin, released on August 4, 2025. The fix includes proper escaping of the 'name' parameter using esc_attr() function (WordPress Plugin). Users are strongly advised to update to version 1.4 or later to protect against this vulnerability.