The vulnerability is a stored cross‑site scripting flaw that permits an attacker to inject and persist malicious scripts in web pages generated by the plugin. The flaw arises from inadequate input sanitization of user‑supplied data before it is stored and displayed. An attacker who can submit data through the plugin’s interface can embed JavaScript that will run in the browsers of any user who views the affected page, compromising confidentiality, integrity, and potentially allowing credential theft or defacement.

The affected product is the WordPress Kama Click Counter plugin, developed by Timur Kamaev. Versions from the initial release up to and including 4.0.4 are vulnerable, as indicated by the range "from n/a through <= 4.0.4". Any WordPress installation using these versions of the plugin is at risk.

The CVSS score of 6.5 classifies the issue as medium severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector would involve an authenticated user or administrator who is able to submit content via the plugin’s interface, thereby storing malicious payloads that are later rendered as part of the web page. This path leverages the plugin’s storage and rendering mechanisms, but the explicit prerequisites are not detailed in the official description, so the attack vector is inferred based on typical stored XSS exploitation patterns.