Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Download Counter simple-download-counter allows Stored XSS.This issue affects Simple Download Counter: from n/a through <= 2.2.
Published: 2025-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Download Counter plugin for WordPress contains an Improper Neutralization of Input During Web Page Generation flaw that allows attackers to inject malicious JavaScript that is stored in the site, leading to Stored XSS. This weakness can be used to steal user session cookies, deface the site, or run arbitrary scripts in the context of users who view affected pages. The flaw is identified as CWE‑79.

Affected Systems

The vulnerability affects Jeff Starr’s Simple Download Counter plugin for WordPress versions from the earliest releases through 2.2. Site administrators using any of these versions are at risk unless the plugin has been removed or updated to 2.3 or later.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability, while the EPSS score of less than 1% shows a low likelihood of exploitation in the wild; the issue is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to create or modify download counter data containing the payload, which is then rendered on the site and executed in unsuspecting visitors’ browsers. Administrators should treat this as an actionable risk and apply the official patch promptly.

Generated by OpenCVE AI on April 30, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Simple Download Counter to version 2.3 or later.
  • If the plugin is not required, remove it entirely from the WordPress installation.
  • Scan existing download counter entries for malicious JavaScript and cleanse any found payloads.
  • Enable additional content filtering or use a reputable security plugin to enforce output sanitization.

Generated by OpenCVE AI on April 30, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12308 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Download Counter allows Stored XSS. This issue affects Simple Download Counter: from n/a through 2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Download Counter allows Stored XSS. This issue affects Simple Download Counter: from n/a through 2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Download Counter simple-download-counter allows Stored XSS.This issue affects Simple Download Counter: from n/a through <= 2.2.
Title WordPress Simple Download Counter <= 2.2 - Cross Site Scripting (XSS) Vulnerability WordPress Simple Download Counter plugin <= 2.2 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 29 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Plugin-planet
Plugin-planet simple Download Counter
CPEs cpe:2.3:a:plugin-planet:simple_download_counter:*:*:*:*:*:wordpress:*:*
Vendors & Products Plugin-planet
Plugin-planet simple Download Counter

Tue, 22 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Download Counter allows Stored XSS. This issue affects Simple Download Counter: from n/a through 2.2.
Title WordPress Simple Download Counter <= 2.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Plugin-planet Simple Download Counter
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.795Z

Reserved: 2025-04-22T09:21:32.319Z

Link: CVE-2025-46240

cve-icon Vulnrichment

Updated: 2025-04-22T13:51:07.076Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:17.750

Modified: 2026-04-23T15:29:56.080

Link: CVE-2025-46240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:30:36Z

Weaknesses