The vulnerability in the WordPress Wp‑Scribd‑List plugin allows an attacker to exploit a Cross‑Site Request Forgery flaw to store malicious script content. When a logged‑in user visits a crafted URL, the attacker can insert malicious code that the plugin later renders, enabling the attacker to execute code in the context of any site that uses the plugin for displaying user‑generated Scribd lists. This can lead to theft of session cookies, defacement, or the execution of arbitrary commands in the user’s browser, compromising confidentiality and integrity of the vulnerable site.

Wp‑Scribd‑List plugin for WordPress versions up to and including 1.2 are affected. Any WordPress site that has installed this plugin and is running a version 1.2 or earlier may be vulnerable.

The CVSS score of 7.1 indicates a medium‑to‑high severity vulnerability, but the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a CSRF request that the victim has to accept by having an active authenticated session. Successful exploitation would depend on the victim visiting a malicious site or encountering a crafted link while authenticated, after which the stored XSS can be triggered each time the Scribd list is rendered.