CVE-2015-4084

Free Counter 1.1 - Cross-Site Scripting via value_ Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-4084. PoCs published by Panagiotis Vagenas.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in the WordPress Free Counter Plugin (CVE-2015-4084). It outlines the steps to exploit the vulnerability by injecting malicious JavaScript via the `wp_ajax_nopriv_check_stat` action, which is then stored and executed on pages displaying the plugin's widget.

Description

Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php.

Exploits (1)

exploitdb WRITEUP
by Panagiotis Vagenas · textwebappsphp
https://www.exploit-db.com/exploits/37132

This is a writeup describing a stored XSS vulnerability in the WordPress Free Counter Plugin (CVE-2015-4084). It outlines the steps to exploit the vulnerability by injecting malicious JavaScript via the `wp_ajax_nopriv_check_stat` action, which is then stored and executed on pages displaying the plugin's widget.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Free Counter Plugin 1.1
No auth needed
Prerequisites: Access to the target WordPress site · Ability to send POST requests to the target site
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/535615/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74846
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37132/

Scores

EPSS 0.0454
EPSS Percentile 90.3%

Details

CWE
CWE-79
Status published
Products (1)
free-counter/free_counter 1.1
Published May 28, 2015
Tracked Since Feb 18, 2026