Description
The pixelstats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' and 'sortby' parameters in all versions up to, and including, 0.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-03-15
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The pixelstats plugin for WordPress contains a reflected cross‑site scripting flaw that originates from the ‘post_id’ and ‘sortby’ query parameters. These values are not sanitized or escaped before being reflected back to the browser, giving an unauthenticated attacker the ability to inject arbitrary JavaScript into pages served by the site. Because the script is executed in the victim’s browser when the malicious link is clicked, the impact is limited to the scope of that browser session, enabling session hijacking, phishing, or other client‑side attacks. This weakness corresponds to CWE‑79.

Affected Systems

The vulnerability resides in the pixelstats WordPress plugin, vendor pixelstats. All installations of the plugin with a version number of 0.8.2 or earlier are affected. The plugin must be installed on a WordPress site to be vulnerable, meaning any WordPress website that has pixelstats <=0.8.2 is at risk.

Risk and Exploitability

The CVSS base score of 6.1 classifies the issue as a moderate severity problem. The EPSS score of less than 1 percent indicates a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely through a crafted URL that includes malicious ‘post_id’ or ‘sortby’ values, which is a reflected XSS scenario requiring the victim to click the link. While the impact is confined to the victim’s browser, attackers could use it in phishing campaigns or to compromise sessions on sites that are visited by users who click such links.

Generated by OpenCVE AI on April 21, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the pixelstats WordPress plugin to the latest supported version (>=0.8.3) which removes the unsanitized parameters.
  • If an upgrade is not immediately possible, implement server‑side validation restricting ‘post_id’ and ‘sortby’ to numeric values and apply output encoding before rendering them back in the HTML.
  • Deploy a web application firewall or use security plugin rules to filter common XSS payloads in query parameters as temporary protection.

Generated by OpenCVE AI on April 21, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6619 The pixelstats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' and 'sortby' parameters in all versions up to, and including, 0.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00177}

 epss

{'score': 0.00271}

Fri, 28 Mar 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pixelstats
Pixelstats pixelstats
CPEs cpe:2.3:a:pixelstats:pixelstats:*:*:*:*:*:wordpress:*:*
Vendors & Products Pixelstats
Pixelstats pixelstats

Mon, 17 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The pixelstats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' and 'sortby' parameters in all versions up to, and including, 0.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title pixelstats <= 0.8.2 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Pixelstats Pixelstats
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:49.688Z

Reserved: 2025-03-10T13:42:12.820Z

Link: CVE-2025-2164

cve-icon Vulnrichment

Updated: 2025-03-17T21:25:26.969Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-15T04:15:22.260

Modified: 2025-03-28T16:07:07.700

Link: CVE-2025-2164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses