The vulnerability resides in the Visitor Traffic Real Time Statistics WordPress plugin and allows an attacker who can send arbitrary data to the 'page_title' parameter to store malicious scripts. Because the input is not properly sanitized and the output is not escaped, those scripts are saved in the database and run each time an administrator visits the Traffic by Title page. This stored cross‑site scripting can enable an attacker to hijack the admin session, deface the site, or perform other malicious actions within the context of an authenticated user.

The plugin 'Visitor Traffic Real Time Statistics' from wp-buy is affected in all released versions up to and including 8.4. No other vendors or products are listed as impacted.

The CVSS score of 7.2 indicates high severity, and EPSS data is not available, but the lack of a KEV listing does not diminish the risk for sites still using the vulnerable plugin version. The flaw is exploitable by anyone with network access to the site, as the injection occurs via a public parameter. An attacker simply needs to submit a crafted request containing malicious script content; upon the next admin view of the Traffic by Title section, the script executes with the privileges of the administrator. The potential impact ranges from session hijacking to full compromise of the administrative interface.