EDB-ID: 37132 CVE: 2015-4084 Author: Panagiotis Vagenas Type: WEBAPPS Platform: PHP Date: 2015-05-27 Vulnerable App: WordPress Plugin Free Counter 1.1 Description An authenticated or non-authenticated user can perform a stored XSS attack by exploiting the action. The plugin uses a widget to display website visits, so any page containing this widget will load the malicious JS code. Proof of Concept 1. Send a POST request to to reveal the counter ID with data: 2. Send a POST request to with data: 3. Visit a page of the infected website that displays the plugin's widget. Solution No official solution yet exists.