CVE-2025-7652 in Easy Plugin Stats
Summary
by MITRE • 10/11/2025
The Easy Plugin Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eps' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/11/2025
The vulnerability identified as CVE-2025-7652 affects the Easy Plugin Stats WordPress plugin, specifically targeting versions up to and including 2.0.1. This represents a critical security flaw that enables stored cross-site scripting attacks through the plugin's eps shortcode functionality. The vulnerability arises from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's shortcode implementation.
The technical flaw stems from the plugin's insufficient validation of input parameters passed through the eps shortcode, allowing malicious actors to inject malicious scripts that persist in the plugin's data storage. When authenticated users with contributor-level privileges or higher access pages containing the vulnerable shortcode, the injected scripts execute in the context of the victim's browser session. This stored nature of the vulnerability means that the malicious code remains persistent and can affect any user who views pages containing the compromised shortcode, making it particularly dangerous for environments with multiple users or administrators.
From an operational impact perspective, this vulnerability creates significant risks for WordPress installations using the affected plugin. Attackers with contributor-level access can leverage this flaw to execute arbitrary code on victim systems, potentially leading to session hijacking, data exfiltration, or further privilege escalation within the WordPress environment. The vulnerability's accessibility to users with relatively low privilege levels makes it particularly concerning for sites with less stringent user access controls or those that frequently grant contributor roles to users who may not require such elevated permissions.
The security implications align with CWE-79, which addresses cross-site scripting vulnerabilities, and represents a clear violation of secure coding practices that should prevent unvalidated input from being directly rendered in web pages. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and control communications and privilege escalation through web application exploitation. Organizations should immediately update to patched versions of the Easy Plugin Stats plugin, implement proper input validation measures, and conduct thorough security audits of their WordPress installations to identify and remediate similar vulnerabilities in other plugins or themes that may be susceptible to the same class of issues.
Mitigation strategies should include immediate patching of the affected plugin to version 2.0.2 or later, which addresses the input sanitization and output escaping deficiencies. Administrators should also implement proper access controls to limit contributor privileges to only necessary functions, conduct regular security scanning of WordPress installations, and monitor for suspicious shortcode usage patterns. Additionally, organizations should consider implementing web application firewalls and content security policies to provide additional layers of protection against similar stored XSS vulnerabilities in their web applications.