Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mithra62 WP-Click-Tracker wp-click-track allows Reflected XSS.This issue affects WP-Click-Tracker: from n/a through <= 0.7.3.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation allows a reflected Cross‑Site Scripting attack within the WP‑Click‑Tracker plugin. This flaw (CWE‑79) permits attackers to inject arbitrary client‑side scripts when a victim visits a crafted URL or interacts with a vulnerable input field. Successful exploitation can lead to cookie theft, session hijacking, defacement of the site, or the delivery of malware to visitors, thereby compromising confidentiality, integrity, and availability for the affected website.

Affected Systems

The vulnerability impacts WordPress installations that use the WP‑Click‑Tracker plugin from any pre‑version through 0.7.3, published by mithra62. Any WordPress site running a version of the plugin in this range is susceptible; newer releases are not affected.

Risk and Exploitability

The CVSS score of 7.1 classifies this as a high‑severity issue, but the EPSS score of < 1 % indicates that real‑world exploitation is currently unlikely. The flaw is reflected and therefore requires an attacker to send a specifically crafted request to the target site, which is a moderate technical barrier. It is not listed in the CISA KEV catalog, so no large‑scale outbreak is known. Organizations should assume that an attacker could target the plugin by embedding a malicious link in email or other social media and rely on victim interaction.

Generated by OpenCVE AI on April 29, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP‑Click‑Tracker to the latest release (>= 0.7.4) to eliminate the reflected XSS vector.
  • If an immediate update cannot be performed, disable the WP‑Click‑Tracker plugin or remove it from the site to prevent the vulnerable code from executing.
  • Regularly audit all installed WordPress plugins and apply security patches promptly to mitigate similar vulnerabilities in the future.

Generated by OpenCVE AI on April 29, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mithra62 WP-Click-Tracker wp-click-track allows Reflected XSS.This issue affects WP-Click-Tracker: from n/a through <= 0.7.3.
Title WordPress WP-Click-Tracker Plugin <= 0.7.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:28:13.562Z

Reserved: 2025-06-11T16:07:34.181Z

Link: CVE-2025-49954

cve-icon Vulnrichment

Updated: 2025-10-23T15:08:06.191Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:41.873

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses