The Easy Download Media Counter plugin (developer Remi Corson) contains an Improper Neutralization of Input During Web Page Generation flaw that permits the storage of malicious JavaScript. When the stored data is displayed on a page, the script runs in the victim’s browser, enabling client‑side code execution. This type of vulnerability is commonly referred to as Stored Cross‑Site Scripting and is identified as CWE‑79.

The plugin Easy Download Media Counter version 1.2 and all earlier releases are affected. Any WordPress site that has Easy Download Media Counter installed at these versions is vulnerable; no further WordPress core version requirements are listed. Administrators who have not yet upgraded or disabled the plugin are at risk.

The CVSS score of 6.5 indicates a moderate impact, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves injection of script payloads via plugin‑controlled fields, such as download descriptions or metadata, which are stored without proper sanitization and then rendered. If an attacker succeeds, the stored script will execute for any user who views the affected content.