The salavat counter plugin for WordPress stores an 'image_url' field without adequate sanitization or escaping, allowing a maliciously crafted script to be persisted. Because the plugin accepts this parameter through its admin interface, an attacker who is authenticated with administrator-level privileges can inject arbitrary JavaScript code that will run in the browsers of any user who views a page that displays the stored value. This constitutes a stored cross‑site scripting vulnerability, stemming from inadequate input validation and output escaping, and corresponds to CWE‑79.

All WordPress sites that have installed the goback2 salavat counter plugin in versions 0.9.5 or earlier are affected. The flaw exists in every release up to and including 0.9.5 because the input handling was never corrected before that version. Sites that removed or disabled the plugin or upgraded beyond that version are no longer impacted.

The CVSS base score of 4.4 indicates a moderate severity, while an EPSS score of less than 1% suggests a low likelihood of real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must be authenticated and possess administrator or higher privileges to inject payloads, making the attack vector an authenticated privileged use of the plugin’s admin interface. Once stored, the malicious script runs for every visitor who accesses the affected page, thereby potentially impacting a broad user base.