A stored cross‑site scripting vulnerability is triggered by a cross‑site request forgery flaw in the Listings for Appfolio WordPress plugin. Because the plugin accepts and saves form data without adequately validating the source, an attacker can submit a payload that is then rendered when site content is displayed, enabling script execution in the context of any user who views the affected page. The flaw corresponds to CWE‑352, a CSRF weakness that allows the injection of malicious content. The potential impact includes data theft, session hijacking, or site defacement for every user who accesses the vulnerable content.

The issue affects WordPress installations running the Listings for Appfolio plugin version 1.2.0 or earlier. No further version detail is provided in the advisory, and the plugin is the only product identified as vulnerable.

The CVSS score of 7.1 indicates a high‑severity vulnerability. With an EPSS score reported as less than 1% and the vulnerability not currently listed in CISA’s KEV catalog, the likelihood of exploitation is low at present, yet the potential damage remains significant. Attackers would typically leverage the CSRF flaw by tricking an authenticated user or a user with sufficient privileges into submitting malicious input, after which the stored payload would be executed globally. Since no official fix has been released at the time of this report, the risk persists until an update or mitigation is applied.