The likely attack vector, inferred from the description, is a forged request originating from an external entity, such as a user clicking a malicious link. The vulnerability is a Cross‑Site Request Forgery that allows an attacker to inject a persistent script into the WP‑BlackCheck plugin’s data store. Once stored, the malicious script executes in the browser of any user who views the affected content, potentially stealing authentication cookies, session data, or defacing the site. The weakness is identified as CWE‑352, indicating improper validation of input originating from a request that is forged by an external entity.

WordPress plugin Stargazer WP‑BlackCheck, versions up to and including 2.7.2. Any WordPress site running a vulnerable instance of this plugin is at risk.

The likely attack vector, based on the description, is forging a legitimate‑looking request – for example by having a user visit a malicious link – that triggers the stored script. The CVSS score of 7.1 conveys a high likelihood of exploitation and significant impact. The EPSS score is below 1%, suggesting that while exploitation is technically possible, it is unlikely to be widespread at present. The vulnerability is not listed in the CISA KEV catalog. Once injected, the stored XSS can affect all site visitors, bypassing the same‑origin policy.