Cross-Site Request Forgery Vulnerability in Visit Counter Plugin for WordPress
CVE-2025-12452

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Visit Counter
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-12452?

The Visit Counter plugin for WordPress is exposed to a Cross-Site Request Forgery vulnerability in version 1.0 due to inadequate nonce validation on the widgets.php page. This oversight allows unauthenticated attackers to manipulate the settings of the plugin by tricking site administrators into executing forged requests, such as clicking on deceptive links. Such exploits can lead to unauthorized changes and potentially allow for the injection of malicious scripts, posing significant risks to the integrity of WordPress sites utilizing this plugin.

Affected Version(s)

Visit Counter 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/visit-counter/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 28, 2025

Credit

Mohammadamin Alidoost

JSON