The vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of input during web page generation. When data is entered through the Visitor Details plugin on a WordPress site, the input is not sanitized and is saved to the site’s database. Users who view that data subsequently load a page that renders the stored content, at which point any embedded malicious scripts are executed in the visitor’s browser. This can lead to attacks that target site visitors but does not grant the attacker direct access to the web server or administrative credentials.

The flaw affects the WordPress Visitor Details plugin developed by Ravi Singh. All installations of the plugin with a version number up to and including 1.0.1 are vulnerable. The vulnerability description does not list a lower bound, indicating that every released version of the plugin prior to 1.0.2 is impacted.

The CVSS score of 7.1 indicates high severity, while the EPSS score of < 1% reflects a very low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the plugin’s method of accepting visitor data, which can be supplied by any visitor to the site. An attacker only needs to induce a visitor to submit malicious payloads that will be stored and later executed when the page displaying that data is loaded. No privileged access to the server is required for the exploit to succeed.