The vulnerability allows an attacker to forge a request that stores malicious script code in the database of the Rocket Media Library Mime Type plugin. When a user later visits a page that retrieves the stored MIME type, the injected script executes in the victim’s browser as the site’s user, potentially leaking credentials, modifying page content, or redirecting to malicious sites. The weakness is rooted in missing CSRF protection, classified as CWE‑352, and results directly in a stored XSS vector that compromises confidentiality, integrity, and availability for users.

The issue affects the WordPress plugin Rocket Media Library Mime Type from JinHan Park, all releases from the initial public version up through and including version 2.1.0. Site operators should verify the current plugin version to determine exposure.

The CVSS score of 7.1 indicates a high risk to affected sites. The EPSS score of less than 1% suggests a low probability that exploit attempts are currently in use, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires a legitimate authenticated user to be tricked into visiting a crafted link or form that triggers the CSRF action, after which the malicious script persists in the system and spreads to all users viewing the affected content.