A Cross‑Site Request Forgery flaw in WordPress Norse Rune Oracle Plugin allows a malicious actor to submit a crafted request that stores arbitrary script code in the plugin’s data. Because the stored payload is rendered on subsequent pages viewed by any user, the vulnerability effectively turns the plugin into a vector for persistent client‑side attack, compromising confidentiality and integrity of user data and potentially hijacking sessions for all site visitors.

WordPress sites running the Norse Rune Oracle Plugin version 1.4.2 or earlier are affected. The specific vendor is WP CMS Ninja and the product is the Norse Rune Oracle Plugin. No further version details are provided beyond the maximum affected release.

The CVSS score of 7.1 marks this vulnerability as high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog, further indicating limited current exploitation. Attackers would need to trick a logged‑in administrator or other privileged user into visiting a crafted URL or form; the flaw is a classic CSRF scenario with an injected payload that is later executed as Stored XSS. The standard CSRF mitigation (e.g., non‑ces) is missing, so the exploitation barrier is low for targeted attacks.