The vulnerability CVE-2025-31449 affects EricH The Visitor Counter up to version 1.4.3 and allows an attacker to exploit a Cross-Site Request Forgery (CSRF) weakness combined with Stored Cross-Site Scripting (XSS). This can result in unauthorized actions performed by victims and persistent script injection within the application. The CVSS v3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to unauthorized actions being executed in the context of an authenticated user due to CSRF, and persistent XSS can allow attackers to inject malicious scripts that may steal user data or perform other malicious activities. The combined impact affects confidentiality, integrity, and availability of the affected system. There are no reports of active exploitation in the wild at this time.

Patch status is not yet confirmed — no official patch or remediation guidance is currently available from the vendor. Users should monitor the vendor's advisory channels for updates. Until a fix is released, consider implementing CSRF protections such as verifying anti-CSRF tokens and applying input sanitization to mitigate Stored XSS risks where possible.