The identified weakness is a Cross‑Site Request Forgery flaw that permits an attacker to submit malicious input through the Wizhi Multi Filters by Wenprise plugin. The plugin then stores this input and serves it as part of the site’s content. When an end‑user later requests the affected page, the injected script executes within the user’s browser context because it was written by the attacker. The root cause is the plugin’s failure to validate or protect against unauthorized state‑changing requests (CWE‑352).

The vulnerability applies to the Amos Lee (一刀) Wizhi Multi Filters by Wenprise WordPress plugin in all releases up to and including version 1.8.6. WordPress sites that have this plugin installed and have not applied a newer, patched version are susceptible.

The CVSS rating of 7.1 signals a moderate‑to‑high severity, while the EPSS score of less than 1% indicates that the likelihood of exploitation in the wild is presently low. The flaw is not currently listed in CISA’s KEV catalog, but its impact could be significant if an attacker succeeds. The typical attack path involves a CSRF request made by an authenticated user’s session, allowing the attacker to inject and store malicious JavaScript that will later run in the context of any viewer of the compromised content.