The EC Stars Rating plugin for WordPress suffers from a stored XSS flaw in which unsanitized user input is rendered in generated pages. A malicious payload can be injected via the plugin's rating or comment fields and subsequently executed in the browsers of any visitor who loads a page that includes the stored data. Because the script runs in the context of the site, an attacker could steal session cookies, hijack user accounts, or deliver further malware. This type of weakness corresponds to CWE-79.

Any installation of the ecoal95 EC Stars Rating plugin, from the earliest release up through version 1.0.11, is affected. Sites running those versions are vulnerable. The vulnerability is present regardless of WordPress version, as it originates within the plugin code.

The CVSS score of 5.9 classifies the issue as moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation typically requires the attacker to deliver a malicious rating or comment – a form of stored XSS – which is then displayed to other site users. Because the script runs in the victim’s browser, a successful attack would compromise confidentiality, integrity, and possibly availability for those users. The likely attack vector is through the plugin’s input fields, which do not properly encode data before rendering, allowing a remote attacker with access to submit content to inject malicious script that will later be rendered to all page visitors.