Description
Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats blog-stats-by-w3counter allows Cross Site Request Forgery.This issue affects W3Counter Free Real-Time Web Stats: from n/a through <= 4.1.
Published: 2025-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The W3Counter Free Real‑Time Web Stats plugin for WordPress contains a CSRF flaw that permits an attacker to send requests to the site that will be processed with the privileges of a logged‑in user. The vulnerability is classified as CWE‑352. While the official description does not enumerate specific affected actions, it states that the flaw allows Cross Site Request Forgery, implying that any state‑changing request visible to an authenticated user could be performed without their knowledge.

Affected Systems

The issue affects the WordPress plugin W3Counter Free Real‑Time Web Stats, produced by Dangrossman, for any version up to and including 4.1. Sites that have not upgraded beyond 4.1 remain vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity. With an EPSS score of less than 1% and no listing in CISA KEV, the likelihood of widespread exploitation is low. The likely attack vector requires the victim to be authenticated and to click or otherwise access a crafted link that triggers the state‑changing request; this detail is inferred from the nature of CSRF vulnerabilities and not explicitly specified in the CVE description.

Generated by OpenCVE AI on May 2, 2026 at 08:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the W3Counter plugin to the latest version, which contains the fix for the CSRF flaw.
  • If an updated version is not available, uninstall the plugin to eliminate the attack surface.
  • Restrict access to any remaining configuration interfaces to trusted administrators and enforce authentication for all state‑changing requests.

Generated by OpenCVE AI on May 2, 2026 at 08:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7827 Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats allows Cross Site Request Forgery. This issue affects W3Counter Free Real-Time Web Stats: from n/a through 4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats allows Cross Site Request Forgery. This issue affects W3Counter Free Real-Time Web Stats: from n/a through 4.1. Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats blog-stats-by-w3counter allows Cross Site Request Forgery.This issue affects W3Counter Free Real-Time Web Stats: from n/a through <= 4.1.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00024}

 epss

{'score': 0.00034}

Wed, 09 Apr 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared W3counter
W3counter w3counter
CPEs cpe:2.3:a:w3counter:w3counter:*:*:*:*:*:wordpress:*:*
Vendors & Products W3counter
W3counter w3counter

Wed, 12 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats allows Cross Site Request Forgery. This issue affects W3Counter Free Real-Time Web Stats: from n/a through 4.1.
Title WordPress W3Counter Free Real-Time Web Stats plugin <= 4.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

W3counter W3counter
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.162Z

Reserved: 2025-03-11T08:08:42.174Z

Link: CVE-2025-28856

cve-icon Vulnrichment

Updated: 2025-03-12T15:03:41.035Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:42.763

Modified: 2026-04-23T15:26:27.000

Link: CVE-2025-28856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses