Data Manipulation Vulnerability in Page View Count Plugin for WordPress
CVE-2025-2816

8.1HIGH

Key Information:

Vendor: WordPress
Status: Page View Count
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-2816?

The Page View Count plugin for WordPress suffers from a data manipulation vulnerability due to a missing capability check in the yellow_message_dontshow() function. This flaw affects versions 2.8.0 to 2.8.4 and allows authenticated attackers, with Subscriber-level access or higher, to modify critical options within the WordPress site. By exploiting this vulnerability, attackers can potentially render the site inoperable for legitimate users through the introduction of erroneous option values or by altering configurations related to user registrations.

Affected Version(s)

Page View Count 2.8.0 <= 2.8.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Mar 26, 2025

Credit

Kenneth Dunn