CVE-2025-3953
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings UpdateThe WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.
We have discovered 111,492 live websites that are affected by CVE-2025-3953.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 111,492 live websites (82.36% of WP Statistics install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 127 versions ( 98.45% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Apr 30, 2025
- Updated - Apr 30, 2025
Credits
- Trương Hữu Phúc (truonghuuphuc) (finder)
CWE
CVE References
CWE References
CVE-2025-3953 usage by Country
 United States | 23,701 websites |
 Germany | 23,195 websites |
 France | 8,262 websites |
 Iran | 5,474 websites |
 Japan | 4,298 websites |
 Italy | 4,060 websites |
 Poland | 3,706 websites |
 Netherlands | 3,608 websites |
 GB | 2,625 websites |
 Denmark | 2,485 websites |
CVE-2025-3953 usage by TLD
| .com | 36,926 websites |
| .de | 14,178 websites |
| .org | 5,889 websites |
| .fr | 3,641 websites |
| .nl | 3,581 websites |
| .net | 3,234 websites |
| .it | 3,099 websites |
| .pl | 2,973 websites |
| .ch | 1,935 websites |
| .at | 1,673 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-3953
Top websites that are affected by CVE-2025-3953. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********************.org | France | ***,*** | |
| *******.************.com | United States | ***,*** | |
| *********.***.bg |  Bulgaria | ***,*** | |
| **********.ru |  Russia | *,***,*** | |
| ******.com | United States | *,***,*** | |
| *****.org | United States | *,***,*** | |
| **************.it | Italy | *,***,*** | |
| ******.**.uk | United States | *,***,*** | |
| ****************.org | Germany | *,***,*** | |
| ******.com | United States | *,***,*** |
FAQ
CVE-2025-3953 is Missing Authorization in WP Statistics
A total of 111,492 websites have been identified as vulnerable to CVE-2025-3953, based on global website indexing conducted by WebTechSurvey.
The WP Statistics is affected by the CVE-2025-3953 vulnerability.
WP Statistics versions up to and including 14.13.3 are vulnerable to CVE-2025-3953.