The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw in the Smoothness Slider Shortcode plugin for WordPress versions 1.2.2 and earlier. An attacker who can cause a victim to visit a specially crafted URL can force the victim’s authenticated browser to perform actions with the plugin’s privileges. Because the CSRF can trigger the storage of malicious scripts, the vulnerability can lead to stored cross‑site scripting that affects all visitors. If the plugin allows content creation or modification, the attacker may alter site content or configuration, potentially enabling further attacks such as phishing or defacement. The flaw is identified as CWE‑352.

WordPress sites running the Smoothness Slider Shortcode plugin from version 1.2.2 down to the lowest released version. The vendor is njshofe, and the product is Smoothness Slider Shortcode. All versions labeled 1.2.2 or older are affected; no later versions are listed.

The CVSS score of 7.1 classifies the flaw as high severity, while the EPSS score of <1% indicates a low overall exploitation likelihood at present. It is not listed in the CISA KEV catalog, reducing immediate threat visibility. The likely attack vector involves a malicious site issuing a forged request that leverages the victim’s authenticated session. Because the flaw does not require authentication on the attacker’s part, an outsider can exploit it simply by enticing an admin to visit a malicious link. In environments where there are users with elevated privileges or the plugin is exposed to public interfaces, the risk becomes more pronounced.