Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Konstantin Pankratov Date counter date-counter allows Stored XSS.This issue affects Date counter: from n/a through <= 2.0.3.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that improper neutralization of user input during web page generation in the WordPress Date Counter plugin allows attackers to store malicious scripts in the database. When processed, the stored payload is rendered on site pages, enabling client‑side code execution, session hijacking, defacement, or phishing. This is a classic Stored XSS weakness (CWE‑79) that can impact all users who view affected content.

Affected Systems

WordPress sites that use Konstantin Pankratov’s Date Counter plugin, version 2.0.3 and earlier.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5 and an EPSS score of less than 1 %. It is not listed in the CISA KEV catalog. Attackers would need to submit a malicious payload through the plugin’s input interface, which is typically web‑accessible. While exploitation probability is low, the risk remains for any site that still hosts the vulnerable plugin.

Generated by OpenCVE AI on April 29, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Date counter plugin to a version newer than 2.0.3 to eliminate the vulnerable code.
  • If an update is not possible, disable or remove the Date counter plugin from the site to eliminate the attack vector.
  • Apply strict output escaping to any user‑supplied data handled by the plugin, using WordPress functions such as esc_html to neutralize scripts.

Generated by OpenCVE AI on April 29, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Konstantin Pankratov Date counter date-counter allows Stored XSS.This issue affects Date counter: from n/a through <= 2.0.3.
Title WordPress Date counter plugin <= 2.0.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:57:45.389Z

Reserved: 2025-10-24T14:24:48.654Z

Link: CVE-2025-62948

cve-icon Vulnrichment

Updated: 2025-10-27T15:06:25.272Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:55.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:45:19Z

Weaknesses