01 · The Real Story
This is a side door left unlocked inside the building, not the front gate ripped off its hinges
CVE-2025-22304 is a missing authorization flaw in the wp-stats-manager WordPress plugin, branded as *WP Visitor Statistics (Real Time Traffic)*. Public sources converge on vulnerable versions through 7.5, with a fix in 7.6; the weakness is a missing capability check that lets an authenticated low-privilege user, specifically Subscriber-level and above, trigger an action they should not be allowed to perform.
The vendor's MEDIUM 4.3 baseline is slightly high for enterprise patch triage. In the real world this requires an already-valid account on a site running a relatively niche plugin, and the published impact is only low integrity with no confidentiality or availability loss. That combination makes this a classic *post-auth web app hygiene* issue: worth fixing, but not something that should outrank unauthenticated RCE, auth bypass, or KEV-listed edge exposure.
"This is a post-auth WordPress plugin bug with low impact and narrow reach, not a fleet-on-fire event."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Identify a target running the plugin
An attacker first confirms the site uses
wp-stats-manager, typically by requesting plugin assets or the plugin readme under /wp-content/plugins/wp-stats-manager/. Commodity tooling such as curl, Burp Suite, or WPScan can do this version fingerprinting if directory exposure or static assets are reachable.Conditions required:
- The target runs WordPress
- The
wp-stats-managerplugin is installed - Plugin paths or assets are remotely discoverable
Where this breaks in practice:
- Many enterprises do not run this plugin at all
- Version fingerprinting is often imperfect when readme files are hidden or cached
- Internet-scale scanners cannot reliably prove the vulnerable code path is reachable
Detection/coverage: External scanners can often detect plugin presence and sometimes version, but they generally cannot validate the missing capability check without credentials.
STEP 02
Obtain low-privilege access
The published exploit condition is Subscriber+. That means the attacker needs a valid WordPress account before the flaw matters, whether through self-registration, credential stuffing, password reuse, or compromise of a low-privileged user.
Conditions required:
- Valid WordPress credentials
- Account has at least Subscriber role
- The vulnerable site exposes a login or registration path
Where this breaks in practice:
- This is the decisive brake on severity: no credentials, no exploit
- Many corporate WordPress deployments do not permit public self-registration
- MFA, SSO, bot protection, and credential hygiene block a lot of real-world account acquisition
Detection/coverage: Credential attacks are usually visible to IdP logs, WordPress auth logs, WAF telemetry, and bot-management controls; the CVE itself is not.
STEP 03
Probe the vulnerable function
With a Subscriber session, the attacker enumerates plugin functionality looking for the handler missing a
current_user_can()-style authorization gate. In practice this is a manual web workflow or AJAX request replay exercise using Burp Suite or a simple authenticated curl session.Conditions required:
- Authenticated session cookie or nonce-bearing browser session
- Knowledge of the vulnerable action or handler
- The site still runs version 7.5 or earlier
Where this breaks in practice:
- No broadly cited public exploit repository or turnkey weaponization was found in this review
- The advisory does not describe a high-impact primitive like arbitrary file write or SQLi
- Nonce checks or partial hardening in surrounding code may complicate reproduction even if capability checks are absent
Detection/coverage: DAST and version-based vulnerability scanners may flag the issue by plugin version. Behavioral detection is weak unless you log and review privileged plugin actions by low-privilege users.
STEP 04
Perform the unauthorized action
If the handler lacks the required capability check, the Subscriber can perform an action intended for a higher-privileged role. Public scoring indicates only low integrity impact, so the expected outcome is a limited unauthorized state change rather than code execution or broad data theft.
Conditions required:
- The specific vulnerable handler is reachable
- Authorization is missing on that code path
- The requested action succeeds with Subscriber privileges
Where this breaks in practice:
- Published impact is narrow and does not imply full admin takeover
- Blast radius is usually limited to one WordPress site or tenant
- The attacker still remains bounded by application logic, not arbitrary OS-level control
Detection/coverage: Best detection comes from application audit logs, admin-action telemetry, and anomaly review for plugin actions initiated by Subscriber accounts.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No evidence of active exploitation was found in the sources reviewed, and the CISA ADP enrichment exposed via OpenCVE marks exploitation as none. |
|---|---|
| KEV status | Not listed in the CISA Known Exploited Vulnerabilities Catalog in the reviewed search results. |
| Proof-of-concept availability | No widely cited public PoC repo turned up during this review. WPScan marks the entry as Verified: No, which lowers confidence in immediate mass weaponization. |
| EPSS | Supplied intel puts EPSS at 0.00114. That is directionally *low* and fits the rest of the evidence; a primary FIRST per-CVE record was not directly retrievable in this session, so percentile is not asserted here. |
| CVSS vector and meaning | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N means remote reachability but requires prior auth, with only low integrity impact and no confidentiality or availability impact. |
| Affected versions | Patchstack, WPScan, and NVD align on vulnerable versions through 7.5 for the wp-stats-manager plugin. |
| Fixed version | Fixed in 7.6 according to Patchstack and WPScan. The WordPress.org plugin page shows later versions are available, with the current listed version at the time of review being 8.5. |
| Exposure population | WordPress.org lists 20,000+ active installations, so the plugin is not rare in absolute terms, but it is still a small subset of internet-facing WordPress overall and an even smaller subset of enterprise estates. |
| Scanning / exposure reality | This is not a clean Shodan/Censys-style edge fingerprint. Attackers can often spot the plugin externally, but exploitation still hinges on authenticated access to a specific WordPress site and role. |
| Disclosure / credit | Patchstack published on 2025-01-06; NVD published on 2025-01-07. Credit goes to Dhabaleshwar Das. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (2.9/10)
The single most important severity brake is the Subscriber-level authentication requirement: this is already past the initial-access stage. Combined with the published low integrity-only impact and no active exploitation evidence, that makes this a cleanup item, not a crisis item.
HIGH Affected version range and fixed version
MEDIUM Exploit practicality without a public PoC
HIGH Overall severity downgrade driven by post-auth requirement
Why this verdict
- Auth required cuts hard: the CVSS already says
PR:L, and Patchstack explicitly states Subscriber access is required. That means the attacker must first win credentials or self-register where allowed, which is a major real-world narrowing from unauthenticated internet exploitation. - Impact is narrow: the vector has
C:N/I:L/A:N, so the published outcome is a limited unauthorized action, not code execution, admin creation, data theft, or service kill. - Reachable population is smaller than the CVSS abstract suggests: only sites running this specific plugin are in scope, and only the subset exposing login or registration paths to attainable low-privilege users are realistically exploitable.
Why not higher?
There is no KEV listing, no cited in-the-wild activity, and no broadly visible public exploit kit in the sources reviewed. More importantly, exploitation begins *after* the attacker already has a valid account, which makes this a post-compromise or post-account-abuse problem rather than an initial foothold vulnerability.
Why not lower?
It still enables an unauthorized action across internet-reachable WordPress sites that use the plugin, and Subscriber accounts are not hypothetical on membership, community, or e-commerce deployments. Broken access control bugs also chain well with weak account governance, so this should not be ignored outright.
05 · Compensating Control
What to do — in priority order.
- Disable public registration where unnecessary — If the site does not need self-service user creation, turn it off now. For a LOW verdict there is no formal mitigation SLA, but this is the fastest way to remove the most important exploit prerequisite while you move through normal patching.
- Restrict Subscriber login paths — Put WordPress login, XML-RPC, and registration behind bot controls, SSO, MFA, or IP/geo restrictions where feasible. This reduces the chance that commodity credential stuffing can manufacture the low-privilege foothold the CVE needs.
- Monitor plugin actions by low-privilege users — Enable or tune WordPress audit logging so actions touching
wp-stats-managerfrom Subscriber accounts are visible. For a LOW finding, use this as a detective control during the backlog remediation window rather than treating it as an emergency response item. - Update the plugin — Move affected instances to 7.6 or later during normal plugin maintenance. Because this is LOW, fold it into backlog hygiene and complete patching within the long remediation window instead of burning an emergency change.
What doesn't work
- A perimeter network scanner alone does not solve this, because version fingerprinting does not prove the authenticated code path is exploitable.
- Endpoint EDR on the web server is not the primary control here; the published impact is application-level unauthorized action, not a host-level malware event.
- Blocking only anonymous traffic is insufficient if the site allows self-registration or has weak password hygiene, because the CVE activates once the attacker has any Subscriber-grade account.
06 · Verification
Crowdsourced verification payload.
Run this on the target WordPress host or inside the container/VM that stores the site files. Invoke it as bash check-wp-stats-manager-cve-2025-22304.sh /var/www/html or point directly at the plugin directory; it needs only read access to the WordPress files, not root.
#!/usr/bin/env bash
# check-wp-stats-manager-cve-2025-22304.sh
# Detects whether WordPress plugin wp-stats-manager is vulnerable to CVE-2025-22304
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -u
TARGET="${1:-}"
PLUGIN_REL="wp-content/plugins/wp-stats-manager"
PLUGIN_DIR=""
VERSION=""
FIXED="7.6"
verlte() {
[ "$1" = "$2" ] && return 0
[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}
extract_version() {
local base="$1"
local readme="$base/readme.txt"
local mainphp="$base/wp-stats-manager.php"
if [ -f "$readme" ]; then
VERSION=$(grep -E '^Stable tag:' "$readme" 2>/dev/null | head -n1 | sed -E 's/^Stable tag:[[:space:]]*//I' | tr -d '\r')
if [ -n "$VERSION" ]; then
return 0
fi
fi
if [ -f "$mainphp" ]; then
VERSION=$(grep -E '^[[:space:]]*Version:' "$mainphp" 2>/dev/null | head -n1 | sed -E 's/^[[:space:]]*Version:[[:space:]]*//I' | tr -d '\r')
if [ -n "$VERSION" ]; then
return 0
fi
fi
return 1
}
if [ -z "$TARGET" ]; then
echo "UNKNOWN - provide a WordPress root or plugin directory path"
exit 2
fi
if [ -d "$TARGET/$PLUGIN_REL" ]; then
PLUGIN_DIR="$TARGET/$PLUGIN_REL"
elif [ -d "$TARGET" ] && [ "$(basename "$TARGET")" = "wp-stats-manager" ]; then
PLUGIN_DIR="$TARGET"
else
echo "UNKNOWN - wp-stats-manager plugin directory not found under target path"
exit 2
fi
if ! extract_version "$PLUGIN_DIR"; then
echo "UNKNOWN - unable to determine plugin version from readme.txt or wp-stats-manager.php"
exit 2
fi
# Normalize common placeholders
VERSION="$(echo "$VERSION" | awk '{print $1}')"
if verlte "$VERSION" "7.5"; then
echo "VULNERABLE - wp-stats-manager version $VERSION (fixed in $FIXED)"
exit 1
fi
if verlte "$FIXED" "$VERSION"; then
echo "PATCHED - wp-stats-manager version $VERSION"
exit 0
fi
echo "UNKNOWN - parsed version $VERSION could not be classified"
exit 2
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: query your WordPress estate for
wp-stats-manager, identify anything at 7.5 or earlier, and confirm whether those sites allow public registration or have meaningful Subscriber populations. Because this is LOW, there is no noisgate mitigation SLA and noisgate remediation SLA is *backlog hygiene* rather than an emergency motion: document exposed instances now, tighten registration/login controls where practical, and roll the actual plugin update to 7.6+ through normal maintenance rather than interrupting higher-priority patch work.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.