The plugin contains a Cross‑Site Request Forgery flaw that allows an attacker to trick a legitimate user into submitting a request that stores a malicious script in the plugin’s data. Once stored, the script executes in the browsers of anyone viewing the affected content, potentially leading to defacement, credential theft or session hijacking. The weakness is a typical CSRF/CWE‑352 vulnerability that can compromise confidentiality, integrity and availability of the WordPress site.

The vulnerability affects the WordPress News Publisher Autopilot plugin for the cdowp (wpm‑news‑api) plugin, with all releases from the initial version through 2.1.4. Any WordPress installation that has this plugin installed and enabled is within scope; the issue does not affect other WordPress components or plugins.

The CVSS score of 7.1 indicates a high severity, and the EPSS score of less than 1% means the likelihood of exploitation in the wild is currently very low. The vulnerability is not listed in the CISA KEV catalog, implying it has no publicly confirmed active exploitation. Attackers would need to lure a logged‑in admin or another privileged user into executing a crafted request, which can be done via a phishing page or compromised site. Once the malicious script is stored, it can be triggered by any visitor to the affected page.