The vulnerability is a classic Stored Cross Site Scripting flaw that occurs when the Kama Click Counter plugin fails to properly neutralize user supplied input before rendering it on the web page. An attacker could inject malicious script that is stored and executed in the context of any site visitor, potentially allowing theft of session cookies, hijacking of user sessions or defacement. The weakness is a classic input validation flaw identified as CWE‑79.

The issue affects the WordPress Kama Click Counter plugin by Timur Kamaev, specifically all releases up to and including version 4.0.3. No other versions or related products are listed.

The CVSS base score of 6.5 classifies the flaw as moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. This vulnerability is not listed in the CISA KEV catalog, suggesting no known exploits in the wild. The most likely attack vector is through any interface that allows users to submit data that becomes stored within the plugin and later rendered in the page. As the description does not detail a specific trigger or prerequisites, it is inferred that a basic content or comment field could be the entry point, provided that the plugin stores such input without sanitization.