The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to submit data through a forged request. When the forged request is processed by the plugin, the supplied payload is stored and later rendered on pages as script code, creating a persistent Stored XSS condition. This can enable an attacker to steal credentials, deface the site, or execute arbitrary scripts in the browsers of visitors consuming the affected content.

The affected product is the WordPress plug‑in "Forge – Front‑End Page Builder" developed by Manuel Vicedo. All released versions up to and including 1.4.6 are impacted. Sites that have retained these versions without upgrading remain vulnerable.

With a CVSS score of 7.1 the vulnerability has a moderate to high severity, and the EPSS score of less than 1 % indicates a low probability of exploitation in the short term. The issue is not listed in the CISA KEV catalog. Exploitation requires the attacker to cause a user, typically an administrator, to load a crafted URL or form that submits data to the vulnerable endpoint. Once the request succeeds, malicious code is stored and executed whenever the affected page is viewed by any user. Contact or credential access is not strictly required but can greatly simplify the attack vector.