The Clik Stats WordPress plugin contains a reflected cross‑site scripting flaw that is triggered when the raw value of the PHP_SELF server variable is placed in the page without proper sanitization or escaping. When an attacker supplies a crafted value in the URL, the plugin echoes that value back to the browser, allowing the attacker to inject arbitrary JavaScript. The primary impact is that any user who follows the malicious link could have arbitrary code executed in their browser session, potentially leading to credential theft or defacement. This weakness corresponds to CWE‑79 and is characterized by insufficient output encoding.

The vulnerable component is the Clik Stats plugin distributed by Codejunkie for WordPress. All releases up to and including version 0.8 are affected. Users running any of these plugin versions within a WordPress installation are at risk, regardless of role, because the flaw can be triggered by unauthenticated visitors.

The CVSS score of 6.1 places the vulnerability in the Medium severity range, indicating a reasonable but not extreme risk. The EPSS score of less than 1% suggests a very low probability of widespread exploitation at present, and the flaw is not listed in the CISA KEV catalog. The typical attack path requires the attacker to lure a user to a URL that contains the malicious payload; this is a social‑engineering scenario common to reflected XSS. Once the victim clicks the link or navigates to the crafted page, the injected script runs with the privileges of the victim’s browser session.