The vulnerability arises from an unauthenticated cross‑site scripting flaw in the Stop Spammers plugin for WordPress versions 2026.3 and earlier. An attacker can inject malicious script code into the plugin’s output, which will run in the browsers of any site visitor. This can compromise the confidentiality, integrity, or availability of the site content from a client‑side perspective, potentially allowing an attacker to steal user credentials, deface the site, or redirect users to malicious domains. The type of weakness is reflected in CWE‑79, indicating improper input validation or output encoding.

The affected product is the WordPress Stop Spammers plugin developed by Web Guy, specifically all versions up to and including 2026.3. The plugin is commonly installed on WordPress sites to manage spam registrations, so any site running a vulnerable version is at risk.

The CVSS score of 7.1 indicates a high severity of this flaw, despite an EPSS score of less than 1% suggesting a very low but non‑zero probability of exploitation. The flaw is not listed in the CISA KEV catalog, but its client‑side nature means it can be triggered by any legitimate visitor to the affected site. The likely attack vector involves a crafted URL or form input that the plugin processes without proper sanitization, resulting in malicious script injection into the page rendered to users.