WordPress WP Visitor Statistics (Real Time Traffic) plugin <= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'height' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP Visitor Statistics Real Time Traffic versions = 8.4...

CVE-2025-49400

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in osama.esh WP Visitor Statistics Real Time Traffic allows Stored XSS. This issue affects WP Visitor Statistics Real Time Traffic: from n/a through 8.2...

PT-2025-33941 · WordPress · Wp Visitor Statistics

Name of the Vulnerable Software and Affected Versions: WP Visitor Statistics Real Time Traffic versions through 8.2 Description: This issue involves improper neutralization of input during web page generation, leading to a stored cross-site scripting XSS condition. Recommendations: Update WP...

WP Visitor Statistics (Real Time Traffic) < 6.5 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: wsmshowDayStatBox id='" onclick="javascript:alert1'...