CVE-2023-0095 in Page View Count Plugin
Summary
by MITRE • 02/06/2023
The Page View Count WordPress plugin before 2.6.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/25/2025
The CVE-2023-0095 vulnerability affects the Page View Count WordPress plugin version 2.6.1 and earlier, presenting a significant security risk through stored cross-site scripting exploitation. This vulnerability specifically targets the plugin's handling of block options within WordPress pages and posts, creating an attack vector that could be leveraged by users possessing contributor-level privileges or higher. The flaw stems from inadequate input validation and output escaping mechanisms within the plugin's block rendering functionality, allowing malicious scripts to be persistently stored and subsequently executed when the affected content is displayed to other users.
The technical implementation of this vulnerability resides in the plugin's failure to properly sanitize user-supplied data before incorporating it into the HTML output of WordPress blocks. When contributors or higher-privileged users create or edit content containing the affected plugin blocks, they can inject malicious JavaScript code through the block options parameters. This code becomes permanently stored within the WordPress database and executes whenever the page or post containing the malicious block is rendered, creating a persistent stored XSS attack vector. The vulnerability specifically impacts the plugin's block options handling rather than general WordPress user input, making it more targeted but no less dangerous in its implications.
From an operational perspective, this vulnerability creates a substantial risk for WordPress sites utilizing the affected plugin, as it allows attackers with contributor-level access to execute arbitrary scripts in the context of other users' browsers. The attack surface expands significantly since contributors typically have access to content creation and editing features, making this a common threat vector in WordPress environments where multiple users have varying privilege levels. The stored nature of the XSS attack means that the malicious code remains active until manually removed from the database, potentially affecting all users who view the compromised content, including administrators and regular site visitors.
Security mitigations for this vulnerability involve immediate plugin updates to version 2.6.1 or later, which contain the necessary patches to address the input validation and output escaping deficiencies. Administrators should also implement additional defensive measures such as monitoring user activity for suspicious content creation patterns and conducting regular security audits of installed plugins. The vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and represents a specific implementation weakness in the plugin's data handling processes. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and control through web-based attacks and privilege escalation through user-level access exploitation, making it particularly concerning for organizations maintaining WordPress environments with multiple user roles and permissions.
Organizations should prioritize this vulnerability remediation as it provides attackers with a persistent means of executing malicious code within their WordPress environments, potentially leading to data breaches, credential theft, or further system compromise. The vulnerability's accessibility through contributor-level privileges makes it particularly dangerous, as it can be exploited by users who may not have direct administrative access but still possess content creation capabilities within the WordPress platform. Regular security assessments and plugin update monitoring become essential practices to prevent exploitation of similar vulnerabilities in other WordPress components and plugins that may exhibit similar input validation weaknesses.