A cross‑site request forgery flaw in the Zephyr Admin Theme plugin lets a malicious actor cause an administrator to submit a request that stores a crafted script in the plugin’s configuration. When the stored configuration is subsequently viewed, the script runs in the administrator’s browser, enabling client‑side attacks such as session hijacking or credential theft. The weakness is classified as a CSRF vulnerability (CWE‑352).

The vulnerability affects the Zephyr Admin Theme plugin developed by Dylan James. All releases up to and including version 1.4.1 are impacted; versions prior to the first release or newer than 1.4.1 are not known to be affected.

With a CVSS score of 7.1 the bug falls in the moderate‑to‑high risk range, and the EPSS score indicates a very low exploitation probability (<1%). The issue is not listed in CISA’s KEV catalog. The likely attack vector requires an authenticated administrator to trigger the CSRF request; based on the description, it is inferred that the attacker could entice the admin to click a crafted link or submit a form that stores the malicious script. If successfully exploited, the stored XSS could compromise the confidentiality and integrity of the admin interface and any user who later views the affected configuration page.