Free Counter [Persistent XSS]

WordPress plugin Free Counter suffers for an Persistent XSS vulnerability.


Any authenticated or non-authenticated user can perform a stored XSS attack simply by exploiting wp_ajax_nopriv_check_stat action. Plugin uses a widget to display website’s visits, so any page that contains this widget will also load the malicious JS code.

Proof of Concept

  1. Send a post request to

    in order to reveal the counter id of the vulnerable site. The POST data must contain the following vars:

  2. As a response we get a serialized indexed array. The value that we need to know is the counter_id.
  3. Send a post request to

    with data:

    action=check_stat&id_counter=[counter_id from step 2]&value_=<script>alert(1)</script>
  4. Visit a page of the infected website that displays plugin’s widget.

Note that the plugin uses the update_option function to store the $_POST['value_'] contents to DB so any code inserted there will be escaped. Even though a malicious user can omit the quotes in the src attr of the script tag. Most modern browsers will treat the tag as they were there.