A Cross‑Site Request Forgery flaw in the Scott Nelle Uptime Robot WordPress plugin allows an attacker to inject malicious script that is stored on the site and then executed in the browsers of all users who view the affected page. The stored XSS can lead to session hijacking, credential theft, defacement, or further exploitation on the compromised WordPress installation. The weakness is classified as CWE‑352, a broad CSRF vulnerability that enables an unauthenticated attacker to trigger state‑changing actions.

WordPress sites that have the Uptime Robot plugin of version 0.1.3 or earlier installed are affected. The plugin is maintained by developer Scott Nelle and is distributed as "Uptime Robot". Any WordPress instance that has not upgraded beyond 0.1.3 is within scope of the identified flaw.

The CVSS Base score of 7.1 indicates a high severity level. The EPSS score of less than 1% suggests that the likelihood of exploitation in the near term is low, but the vulnerability is still significant because of the potential impact on users' browsers. The flaw is not listed in CISA’s KEV catalog, meaning there have been no confirmed high‑profile exploits reported so far. It is inferred that an attacker would first obtain a target with the vulnerable plugin, then craft a CSRF request (possibly from a malicious link or embedded form) that image loads or script execution occurs and the resultant XSS payload is persisted. Because the exposure relies on the presence of the plugin, the attack can be executed remotely and does not require privileged access to the WordPress administration area.