Description
Missing Authorization vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 7.5.
Published: 2025-01-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress users of WP Visitor Statistics (Real Time Traffic) may be able to bypass authorization and view usage statistics that belong to other users or the entire site, leading to potential exposure of sensitive traffic analytics. The vulnerability arises from a missing authorization check that allows improper access control in the wp-stats-manager plugin.

Affected Systems

The plugin is affected across all installations of WP Visitor Statistics (Real Time Traffic) with versions from the first release through 7.5 inclusive. Users running any of these versions, regardless of WordPress site configuration, are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 classifies the issue as moderate severity, while an EPSS under 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA KEV, further suggesting limited real-world exploitation risk. However, attackers could target sites that rely on detailed visitor statistics and may gain insights into site traffic patterns if they can authenticate to the administration interface or otherwise exploit the plugin’s incorrect access control logic.

Generated by OpenCVE AI on May 1, 2026 at 22:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Visitor Statistics to a version newer than 7.5.
  • If a patch is not immediately available, disable the wp-stats-manager plugin or restrict access to the plugin’s administrative pages to users with appropriate privileges.
  • Regularly review WordPress user roles and permissions to ensure that only trusted administrators can view visitor statistics.

Generated by OpenCVE AI on May 1, 2026 at 22:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2704 Missing Authorization vulnerability in osamaesh WP Visitor Statistics (Real Time Traffic) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 7.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in osamaesh WP Visitor Statistics (Real Time Traffic) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 7.3. Missing Authorization vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 7.5.
Title WordPress WP Visitor Statistics plugin <= 7.3 - Broken Access Control vulnerability WordPress WP Visitor Statistics plugin <= 7.5 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in osamaesh WP Visitor Statistics (Real Time Traffic) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 7.3.
Title WordPress WP Visitor Statistics plugin <= 7.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:58.853Z

Reserved: 2025-01-03T13:16:00.604Z

Link: CVE-2025-22304

cve-icon Vulnrichment

Updated: 2025-01-07T15:51:12.092Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:14.740

Modified: 2026-04-23T15:22:58.670

Link: CVE-2025-22304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:45:26Z

Weaknesses