The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to store malicious script code in the WordPress plugin Bot Block – Stop Spam Referrals in Google Analytics. This stored XSS can be executed in the browsers of site visitors, potentially leading to session hijacking, cookie theft, defacement or redirect to malicious sites. The weakness is identified as CWE‑79 and is a medium‑severity flaw according to its CVSS score. The principal source of danger is the injection and persistence of user‑supplied script that meets the plugin’s storage mechanisms and is later rendered without proper escaping.

Affected products include Ricky Dawn’s Bot Block – Stop Spam Referrals in Google Analytics plugin. All releases from the initial availability up to and including version 2.6 are vulnerable. No specific sub‑versions are listed beyond that upper bound.

The CVSS base score of 5.9 indicates a medium risk, while an EPSS score of less than 1% suggests exploitation is currently unlikely but remains possible. The vulnerability is not listed in CISA’s KEV catalog. Practical exploitation would require the attacker to submit malicious input through a storage interface of the plugin—likely an administrative or user‑controlled form—so that the malicious script is persisted. Once stored, the script would run in the context of every visitor’s browser when the affected page is rendered, achieving a one‑click of a typical stored XSS attack path. The likely attack vector is remote via the web interface of the plugin, and requires no special privileges beyond the ability to write to the plugin’s data store.