CVE-2025-23978 in FlashCounter Plugin
Summary
by MITRE • 01/31/2025
Cross-Site Request Forgery (CSRF) vulnerability in Ninos Ego FlashCounter allows Stored XSS. This issue affects FlashCounter: from n/a through 1.1.8.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/06/2025
The CVE-2025-23978 vulnerability represents a critical security flaw in the Ninos Ego FlashCounter plugin that demonstrates the dangerous intersection of cross-site request forgery and stored cross-site scripting vulnerabilities. This particular weakness exists within a plugin designed to track website visitor counts through flash-based technology, making it a potentially widespread concern for WordPress installations that rely on this specific counter implementation. The vulnerability's classification as a CSRF issue indicates that malicious actors can manipulate authenticated users into performing unintended actions on the vulnerable system, while the stored XSS component means that malicious payloads can be permanently injected into the application's database and subsequently executed whenever legitimate users access the affected pages.
The technical flaw manifests in the plugin's insufficient validation and sanitization of user-supplied input within its administrative interfaces. When administrators or users with appropriate privileges interact with the FlashCounter configuration, the application fails to implement proper anti-CSRF tokens or other protective mechanisms that would prevent unauthorized request modifications. This absence of CSRF protection allows attackers to craft malicious requests that, when executed by authenticated users, can inject malicious JavaScript code into the plugin's storage mechanisms. The stored XSS component emerges because the plugin does not properly sanitize or escape user input before persisting it to the database, creating a persistent vector for malicious script execution.
The operational impact of this vulnerability extends beyond simple data corruption or unauthorized access. Attackers can exploit this flaw to execute arbitrary JavaScript code within the context of authenticated user sessions, potentially leading to full account compromise, data exfiltration, or the establishment of backdoors within the target WordPress environment. The vulnerability's persistence through the stored XSS mechanism means that once exploited, malicious scripts remain active until manually removed from the database, providing attackers with extended access windows and reducing the likelihood of detection. This particular issue affects all versions of the FlashCounter plugin from the initial release through version 1.1.8, indicating a long-standing problem that has likely been exploited in the wild without proper mitigation.
Security professionals should consider this vulnerability in the context of the CWE-352 weakness classification, which specifically addresses cross-site request forgery vulnerabilities, and the CWE-79 weakness that governs cross-site scripting issues. The ATT&CK framework categorizes this as a privilege escalation and code execution technique, with potential for initial access through web application exploitation followed by persistent access through stored payload execution. Organizations should immediately implement mitigations including the immediate removal or updating of the vulnerable FlashCounter plugin, implementation of proper CSRF token validation mechanisms, and comprehensive input sanitization across all user-facing administrative interfaces. Additionally, security monitoring should be enhanced to detect unusual administrative activities or unexpected JavaScript injection patterns within the affected systems.