CVE-2025-63034 identifies a Missing Authorization vulnerability in the Steve Truman Page View Count plugin, specifically in the page-views-count functionality. This vulnerability arises due to incorrectly configured access control security levels, allowing users with low privileges (PR:L) to perform actions or access data that should be restricted. The vulnerability affects all versions up to and including 2.8.7. The CVSS 3.1 base score is 5.4 (medium), with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and impacts on confidentiality and integrity (C:L/I:L), but no impact on availability (A:N). Exploitation could allow an attacker to view or manipulate page view count data without proper authorization, potentially leaking sensitive information or corrupting analytics data. No public exploits are known at this time, and no patches have been linked yet. The vulnerability is significant for websites relying on this plugin for analytics or visitor tracking, as it undermines trust in data integrity and confidentiality. The issue was reserved in October 2025 and published in December 2025 by Patchstack.

For European organizations, the impact centers on unauthorized access to page view count data, which could lead to leakage of sensitive visitor analytics or manipulation of website metrics. This may affect marketing decisions, user behavior analysis, and potentially expose information about site traffic patterns. While the vulnerability does not directly affect availability, the integrity compromise could undermine trust in data-driven decisions. Organizations using the affected plugin in sectors such as e-commerce, media, or government websites may face reputational damage or compliance issues if sensitive data is exposed. The requirement for low privileges means that attackers may need some level of access, but no user interaction is needed, facilitating remote exploitation. The absence of known exploits reduces immediate risk but does not eliminate the threat. The medium severity suggests a moderate risk level that should be addressed promptly to prevent escalation or combined attacks.

European organizations should immediately audit their use of the Steve Truman Page View Count plugin and verify the version in use, upgrading to a patched version once available. In the absence of a patch, restrict access to the plugin’s administrative and page view count endpoints by implementing strict access control policies, such as IP whitelisting or role-based access restrictions. Review and harden user privilege assignments to ensure minimal necessary permissions are granted. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the vulnerable endpoints. Monitor logs for unusual access patterns or unauthorized attempts to access page view data. Additionally, consider disabling or replacing the plugin with a more secure alternative if immediate patching is not feasible. Regularly update all plugins and maintain a robust vulnerability management process to quickly respond to new threats.