CVE-2025-24675 is a stored cross-site scripting (XSS) vulnerability identified in the WP Visitor Statistics (Real Time Traffic) plugin for WordPress, developed by osama.esh. This vulnerability stems from improper neutralization of user-supplied input during web page generation, specifically within the wp-stats-manager component. Stored XSS means that malicious scripts injected by an attacker are permanently stored on the target server, typically in a database, and served to users when they access affected pages. This can lead to execution of arbitrary JavaScript in the context of the victim's browser, enabling attacks such as session hijacking, credential theft, defacement, or distribution of malware. The affected versions include all releases up to and including version 7.2. The vulnerability does not require authentication or user interaction beyond visiting a compromised page, increasing its risk profile. Although no public exploits are currently known, the flaw is publicly disclosed and documented in the CVE database as of January 24, 2025. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors. The plugin is widely used in WordPress environments, which are prevalent globally, making this a significant threat vector for many websites. The vulnerability highlights the importance of proper input validation and output encoding in web applications to prevent injection attacks.

The impact of CVE-2025-24675 is substantial for organizations running WordPress sites with the vulnerable WP Visitor Statistics plugin. Successful exploitation can lead to execution of arbitrary scripts in users' browsers, compromising user sessions and potentially allowing attackers to steal sensitive information such as authentication tokens or personal data. This can result in unauthorized access, data breaches, and reputational damage. Additionally, attackers could deface websites or use the compromised site as a vector to distribute malware to visitors, amplifying the threat. The stored nature of the XSS means the malicious payload persists, increasing the window of exposure. Given WordPress's extensive use worldwide, the vulnerability could affect a large number of websites, including those of small businesses, enterprises, and government entities. The ease of exploitation without authentication further elevates the risk, potentially enabling automated attacks at scale. Organizations may also face compliance and legal risks if user data is compromised due to this vulnerability.

To mitigate CVE-2025-24675, organizations should immediately update the WP Visitor Statistics (Real Time Traffic) plugin to a patched version once released by the vendor. Until a patch is available, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Implementing Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads can provide temporary protection. Site owners should audit and sanitize all inputs and outputs related to the plugin, ensuring proper encoding of user-supplied data before rendering it in web pages. Regularly scanning the website for injected scripts and monitoring logs for suspicious activity can help detect exploitation attempts. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of XSS by restricting the execution of unauthorized scripts. Educating site administrators about the risks of installing unverified plugins and maintaining a strict plugin update policy will help prevent similar vulnerabilities. Finally, backing up website data regularly ensures recovery in case of compromise.