Stored Cross-Site Scripting Vulnerability in WP Statistics Plugin by WordPress
CVE-2025-9816

7.2HIGH

Key Information:

Vendor: WordPress
Status: WP Statistics – Simple, Privacy-friendly Google Analytics Alternative
Vendor: CVE Published:; 27 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-9816?

The WP Statistics plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping. This flaw enables unauthenticated attackers to inject arbitrary web scripts into the User-Agent Header. Consequently, the malicious scripts may execute automatically when a user accesses any infected page. Users are advised to update to the latest version to mitigate potential risks.

Affected Version(s)

WP Statistics – Simple, privacy-friendly Google Analytics alternative * <= 14.15.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-9816
Created by monzaviman

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-statistics/...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 13, 2025
👾
Exploit known to exist
Nov 13, 2025
Vulnerability published
Sep 27, 2025
Vulnerability Reserved
Sep 1, 2025

Credit

Dmitrii Ignatyev

JSON