EIP-2026-113663

PRE-CVE

WordPress Plugin Count Per Day 3.5.4 - Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113663. PoCs published by Julien Rentrop.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the Count per Day WordPress Plugin (version 3.5.4) by manipulating the Referer header to inject JavaScript code. The payload is executed when an admin views the referer list in the plugin's admin page.

Description

WordPress Plugin Count Per Day 3.5.4 - Persistent Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC

by Julien Rentrop · textwebappsphp

https://www.exploit-db.com/exploits/40206

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in the Count per Day WordPress Plugin (version 3.5.4) by manipulating the Referer header to inject JavaScript code. The payload is executed when an admin views the referer list in the plugin's admin page.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Count per Day WordPress Plugin version 3.5.4

No auth needed

Prerequisites: Victim must visit a malicious link or site controlled by the attacker · Admin must view the referer list in the plugin's admin page

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026