A Cross‑Site Request Forgery flaw in the WordPress Marquee Style RSS News Ticker plugin allows an attacker to submit requests that inject malicious script into the plugin’s stored content. Because the script is stored and rendered in future visitor pages, any user who loads the affected page will execute the attacker’s code in their browser, potentially leading to defacement, credential theft, or additional malware delivery.

WordPress sites running the bnovotny Marquee Style RSS News Ticker plugin version 3.2.0 or earlier are affected. The vulnerability exists in all processes that handle the plugin’s configuration or content updates, where authenticated users can submit forged requests.

The CVSS score of 7.1 indicates a high‑risk impact, while the EPSS of <1% shows a low but non‑zero likelihood of exploitation in the wild. Although the issue is not listed in the CISA KEV catalog, the combination of stored XSS and CSRF could be used to deliver persistent malicious payloads. An attacker needs to persuade an authenticated administrator or privileged user to perform a forged request, which is feasible via phishing or compromised third‑party sites. The risk is therefore moderate to high for sites that use the vulnerable plugin and have active administrators.