The vulnerability is in the plug-in’s Bot Blocker functionality and can be exploited remotely by sending malicious requests with specifically crafted headers to the website. The vulnerability allows for a persistent cross-site scripting (XSS) attack, where the rogue code will be executed every time a user views the log page. Users are advised to upgrade to this version as soon as possible or to make sure they don’t have the Track Blocked Bots setting enabled. According to statistics from the WordPress plug-ins repository, it is popular with over one million active installations.”]
Source: https://www.csoonline.com/article/3093379/serious-flaw-fixed-in-widely-used-wordpress-plug-in.html