The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw that allows an attacker to inject arbitrary text into the go Social plugin’s storage, resulting in Stored Cross‑Site Scripting (XSS). The primary consequence is that any user who views the affected content will have malicious scripts executed in their browser, potentially leading to session hijacking, credential theft, or defacement. The weakness corresponds to CWE‑352 and enables compromise of confidentiality, integrity, and availability by manipulating user interactions with the plugin.

The flaw affects the WordPress plugin go Social by Binesh Dobhal, version 1.0 and earlier. The plugin is often used to integrate social media features into WordPress sites. No other WordPress core components or plugins are indicated as affected, and plugin versions newer than 1.0 are not implicated. Site administrators should identify any installations of go Social up to version 1.0.

With a CVSS score of 7.1, the vulnerability is considered medium‑to‑high risk. The EPSS score of less than 1% indicates that active exploitation appears unlikely at present, and the issue is not listed in the CISA KEV catalog. Nevertheless, the attack path requires a valid user session to submit a forged request; the victim must then visit the stored payload for the attacks to trigger. As the vulnerability combines CSRF with stored XSS, it is an injection flaw that can be exploited remotely from a visited link or an email with a malicious URL, assuming the user is logged into the WordPress site.