CVE-2025-3953
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings UpdateThe WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.
We have discovered 54,422 live websites that are affected by CVE-2025-3953.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 54,422 live websites (45% of WP Statistics install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 118 versions ( 89% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Apr 30, 2025
- Updated - Apr 8, 2026
Credits
- Trương Hữu Phúc (truonghuuphuc) (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-3953 United States | 8,386 websites |
 Germany | 10,338 websites |
 France | 4,233 websites |
 Iran | 3,118 websites |
 Italy | 2,297 websites |
 Poland | 2,140 websites |
 Japan | 2,014 websites |
 Netherlands | 1,772 websites |
 GB | 1,293 websites |
 Russia | 1,244 websites |
Website Distribution by TLD
Number of websites using CVE-2025-3953| .com | 17,905 websites |
| .de | 6,583 websites |
| .org | 2,359 websites |
| .fr | 2,037 websites |
| .pl | 1,604 websites |
| .it | 1,583 websites |
| .net | 1,509 websites |
| .nl | 1,505 websites |
| .ru | 926 websites |
| .at | 886 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-3953
Top websites that are affected by CVE-2025-3953. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *,*** | |
| ****************.org | United States | **,*** | |
| *****.at | Germany | **,*** | |
| ********.**********.com | United States | **,*** | |
| ***********.fr | France | **,*** | |
| *****.*********.edu | United States | **,*** | |
| *******.com | France | **,*** | |
| ****.org |  Australia | **,*** | |
| *****.pl | Poland | **,*** | |
| ****.it | Italy | **,*** |
FAQ
CVE-2025-3953 is Missing Authorization in WP Statistics
A total of 54,422 websites have been identified as vulnerable to CVE-2025-3953, based on global website indexing conducted by WebTechSurvey.
The WP Statistics is affected by the CVE-2025-3953 vulnerability.
WP Statistics versions up to and including 14.13.3 are vulnerable to CVE-2025-3953.