CVE-2025-67983 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the WP Visitor Statistics (Real Time Traffic) plugin for WordPress, developed by osama.esh. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within the wp-stats-manager component, which fails to adequately sanitize or encode data before rendering it in the browser DOM. This flaw allows attackers to inject malicious JavaScript code that executes in the context of the victim's browser session. Unlike reflected or stored XSS, DOM-based XSS occurs entirely on the client side, making detection and mitigation more challenging. The affected versions include all versions up to and including 8.3, with no specific lower bound version identified. Although no public exploit code or active exploitation has been reported, the vulnerability is publicly disclosed and classified as PUBLISHED by Patchstack. The absence of a CVSS score indicates that the vulnerability is newly disclosed and pending further analysis. The attack vector typically involves tricking users into clicking crafted URLs or interacting with manipulated web content that triggers the malicious script execution. Potential consequences include session hijacking, theft of sensitive information, unauthorized actions performed under the victim's credentials, and delivery of further malware. The plugin’s widespread use in WordPress sites for real-time traffic statistics makes this vulnerability relevant to many web administrators and organizations relying on this plugin for analytics.

For European organizations, the impact of CVE-2025-67983 can be significant, especially for those operating customer-facing websites or portals that utilize the WP Visitor Statistics plugin. Successful exploitation could lead to compromise of user sessions, leakage of sensitive information such as authentication tokens or personal data, and unauthorized actions performed on behalf of users, undermining trust and potentially violating data protection regulations like GDPR. The vulnerability could also facilitate phishing or social engineering campaigns by injecting malicious content into legitimate websites. Given the plugin’s role in real-time traffic monitoring, attackers might also manipulate analytics data to obscure their activities or mislead administrators. The impact extends to reputational damage, regulatory penalties, and operational disruption. Organizations with high web traffic or those in sectors such as finance, healthcare, or e-commerce are particularly at risk. Additionally, the ease of exploitation without authentication and the client-side nature of the attack increase the likelihood of successful attacks if mitigations are not promptly applied.

To mitigate CVE-2025-67983, organizations should prioritize updating the WP Visitor Statistics (Real Time Traffic) plugin to a patched version once it becomes available from the vendor. Until an official patch is released, administrators should consider disabling or removing the plugin if it is not essential. Implementing strict Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts and reduce the impact of DOM-based XSS. Web application firewalls (WAFs) with custom rules targeting suspicious input patterns related to this plugin may provide temporary protection. Additionally, website developers and administrators should audit and sanitize all user inputs and outputs related to the plugin’s functionality, ensuring proper encoding and validation. Regular security scanning and penetration testing focused on client-side vulnerabilities can help detect exploitation attempts. Educating users about the risks of clicking unknown links and monitoring web logs for unusual activity are also recommended. Finally, maintaining an incident response plan that includes XSS attack scenarios will improve readiness to respond effectively.