A Cross‑Site Request Forgery flaw in the godthor Disqus Popular Posts WordPress plugin allows an attacker to trick a user into executing a crafted request that injects malicious script into a page. The missing CSRF guard means the request can be performed with the victim’s credentials, leading to reflected cross‑site scripting. This flaw enables the attacker to run arbitrary JavaScript in the victim’s browser, potentially stealing session data, defacing content, or redirecting to malicious sites.

The vulnerability affects the Godthor Disqus Popular Posts plugin for WordPress, all releases from the earliest version up to and including 2.1.1. Users who have the plugin installed on any site should verify the installed version and consider upgrading if still using 2.1.1 or earlier.

The CVSS score of 7.1 indicates a high severity, reflecting that a successful exploitation can lead to significant compromise of the victim’s session. The EPSS score shows a very low probability of exploitation at present (<1%), and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is a CSRF that results in reflected XSS, the attack vector is remote and requires only a user to click a malicious link or visit a compromised page; no local privilege escalation is necessary. The attacker can obtain the victim’s session token through the forged request, thus amplifying the impact of the injected script. If an attacker has sufficient social engineering or phishing capability, this vulnerability can be leveraged to conduct persistent XSS attacks across all users who rely on the plugin.