This vulnerability allows an attacker to forge authenticated requests to the WP‑DownloadCounter plugin and inject malicious scripts that are stored in the site’s content. The stored XSS can execute in the browsers of any user who views the affected content, potentially leading to credential theft, session hijacking, or full‑site takeover. The weakness is a classic CSRF flaw as defined by CWE‑352, and its exploitation results in code execution in the context of the victims’ browsers.

All installations of the WP‑DownloadCounter plugin from older releases through version 1.01 by the vendor r‑win are affected. Any WordPress site that has not upgraded past 1.01 remains vulnerable.

The CVSS score of 7.1 indicates a high severity of the flaw, but the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically craft a CSRF request that a legitimate user’s browser would unknowingly send to the plugin’s endpoint, thereby delivering the malicious script to be stored in the site’s content. The vulnerability can be leveraged only by an attacker who can induce the target user to visit a crafted URL or submit a forged form.