A Cross‑Site Request Forgery vulnerability in the Tock Widget plugin allows an attacker to trick an authenticated WordPress user into submitting a forged request that stores malicious JavaScript in the site’s widget content. When any visitor loads the affected content, the injected script executes in the viewer’s browser, providing an attacker with opportunities to hijack sessions, deface the site, or exfiltrate data. The vulnerability is a classic missing-CSRF-token flaw, which is clearly indicated by the CWE‑352 classification. The primary impact is the ability to deliver persistent client‑side code to unsuspecting users.

WordPress sites running the Tock Widget plugin version 1.1 or earlier are affected. The issue exists from the first available release up to and including 1.1 and applies to the standard plugin component.

The CVSS score is 7.1, reflecting a high severity due to the combination of authentication misuse and persistent XSS. The EPSS score is reported as less than 1 %, indicating that currently very few exploits have been observed or that the exploit community has not widely deployed this flaw. The vulnerability is not listed in CISA’s KEV catalog, but the low exploitation probability does not diminish the seriousness of having a stored XSS vector that could affect all site visitors. Attackers can exploit the weakness by luring a logged‑in user to a carefully crafted URL that submits the malicious payload without a valid CSRF token.