This vulnerability is an improperly neutralized user input in the WP Visitor Statistics (Real Time Traffic) plugin that allows a DOM‑based Cross‑Site Scripting (XSS) attack. Because the plugin does not encode or filter certain values before inserting them into the page, an attacker can inject malicious scripts that execute in the context of the victim’s browser when the crafted input is processed. The vulnerability description does not specify additional impacts beyond script execution in the browser but discusses the risk inherent in DOM‑based XSS.

The flaw affects WordPress sites that use the WP Visitor Statistics (Real Time Traffic) plugin version 8.3 or earlier, released by osama.esh. All installations running any version from the earliest release up to and including 8.3 are potentially vulnerable; newer releases are not impacted.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply crafted input that the plugin processes and reflects in the browser without sanitization; this can typically be achieved via a specially crafted URL or form submission. Because the vector is client‑side, any user visiting the affected page will have the injected script executed in their browser.