CVE-2025-13048 affects Official StatCounter Plugin and it is an authenticated Stored Cross-Site Scripting vulnerability that allows a Contributor or higher user to store a crafted payload in the WordPress Nickname field. The vulnerability is triggered when the affected post is viewed and the plugin renders the author nickname into a JavaScript context without proper sanitization and escaping. The practical security outcome is persistent browser side code execution against visitors and administrators who open the injected post. On real sites this can lead to session theft, unauthorized admin actions, malicious redirects, or further compromise of the WordPress dashboard.
| CVE | CVE-2025-13048 |
| Plugin Version | Official StatCounter Plugin <= 2.1.0 |
| All Time | 1 993 432 |
| Active installations | 70 000+ |
| Publicly Published | February 18, 2026 |
| Last Updated | February 18, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13048 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/official-statcounter-plugin-for-wordpress/official-statcounter-plugin-210-authenticated-contributor-stored-cross-site-scripting-via-nickname |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 29, 2025 | Plugin testing and vulnerability detection in the Official StatCounter Plugin have been completed |
| October 29, 2025 | I prepared the vulnerability PoC with a description and recommendations for fixing |
| February 18, 2026 | Registered CVE-2025-13048 |
Discovery of the Vulnerability
The vulnerable chain starts with a WordPress user profile value that can be controlled by a Contributor or higher role. The attacker changes the Nickname field to a JavaScript breaking payload and then creates a post. When the post is viewed, the plugin processes author related tracking data and includes the author nickname in the page output. The value is stored in WordPress and later reused by the plugin without sufficient sanitization before storage and without sufficient escaping before output. This turns a normal profile field into a persistent XSS source. The root cause is unsafe handling of user controlled profile metadata in a JavaScript context. A value that should be treated as text is inserted into executable script syntax, which allows the attacker to close the current string or object structure and execute arbitrary JavaScript in the browser of any user who opens the affected post.
Understanding of Stored XSS attack’s
Stored Cross-Site Scripting is one of the most dangerous XSS classes because the payload is saved server side and does not require the attacker to deliver a fresh malicious link for every victim. In WordPress, low privilege roles such as Contributor can often create content but should not be able to execute JavaScript against administrators or visitors. This trust boundary is critical. Profile fields, post metadata, comments, block attributes, and plugin settings must be sanitized on input and escaped according to the exact output context. A nickname displayed as plain HTML needs HTML escaping, while a nickname inserted into JavaScript requires JavaScript safe encoding. In CVE-2025-13048 the attacker abuses this boundary by storing a crafted nickname that later reaches plugin generated page output. The result is persistent script execution tied to content created by the attacker.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2025-13048, an attacker with Contributor or higher access can save a malicious Nickname value and publish or submit a post that triggers the affected plugin output path:
POC:
1) Go to your profile and change "Nickname" field to: test"}});alert(112312313);// 2) Create a new Post with somthing inside. 3) Go to this post. 4) The payload executes when the affected post is opened.____
The most severe outcome is persistent execution of attacker controlled JavaScript in the browser of an administrator who views the affected post. In a realistic attack, a Contributor account can place the payload in the Nickname field, create content that appears harmless, and wait for an editor or administrator to review it. Once the page is opened, the script runs in the victim session and can perform actions available to that user through the WordPress admin context if suitable nonces or same origin requests are reachable. This can enable account takeover paths, creation of malicious content, plugin setting changes, credential phishing inside the dashboard, or redirection of visitors to attacker controlled infrastructure. The issue also affects site integrity because the payload remains stored until the malicious nickname or affected output path is cleaned.
Recommendations for Improved Security
The fix must apply context aware escaping at every output point that renders the author nickname. When the value is printed into HTML, use the appropriate WordPress escaping function such as esc_html. When the value is inserted into JavaScript, use safe JavaScript encoding such as wp_json_encode or esc_js depending on the exact construction. The plugin should not trust WordPress profile fields as safe text because Contributors and other low privilege users can control them. Input sanitization should also be added when plugin specific values are saved, but output escaping remains mandatory because stored data can come from legacy records, imports, or other plugins. Site owners should update the Official StatCounter Plugin to a fixed version, review Contributor accounts, inspect recent posts created by low privilege users, and remove suspicious Nickname values that contain script breaking characters or JavaScript payloads.
By taking proactive measures to address Stored XSS like CVE-2025-13048 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website