The description indicates an improper neutralization of user input during web page generation in the WP Visitor Statistics (Real Time Traffic) plugin, allowing Stored XSS. Based on typical XSS behavior, it is inferred that attacker‑supplied content is stored in the plugin’s statistics fields and later rendered on the site. As a result, users who view the affected pages may have malicious scripts executed in their browsers, potentially leading to cookie theft, defacement, or redirects to malicious sites. The description does not explicitly state that direct server‑side code execution is possible; it is inferred that the primary impact is client‑side script execution.

The vulnerability affects the WordPress plugin WP Visitor Statistics (Real Time Traffic) by osama.esh. All plugin versions from the initial release up to and including 7.2 are impacted.

The issue has a CVSS score of 6.5, placing it in the medium severity range, and an EPSS score of less than 1 %, indicating a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Based on typical XSS exploitation patterns, it is inferred that attackers would input malicious payloads into the plugin’s statistics fields, which are then stored and later displayed on the site. Because the vulnerability is stored, an attacker can target site visitors without needing direct access to the file system, though exploitation requires that users load the affected content.