Cross‑Site Request Forgery in the WP VTiger Synchronization plugin permits an attacker to store malicious HTML and JavaScript in the plugin’s configuration, leading to a stored XSS vulnerability. The flaw allows arbitrary script execution in the browsers of users who view the affected content, potentially leaking session cookies or performing other malicious actions. The weakness corresponds to CWE‑352, a CSRF flaw that neglects proper verification and sanitization of incoming data. The impact manifests as confidentiality breaches, integrity violations, and the risk of defacement or spreading malware to all visitors of the infected site.

The vulnerability affects the Master Software Solutions WP VTiger Synchronization WordPress plugin, specifically versions up to and including 1.1.1. Any installation of this plugin, regardless of the WordPress core version, is susceptible. Administrators who have edited the plugin settings without proper CSRF checks fall under the impacted scope.

With a CVSS score of 7.1 the flaw is considered high severity, yet the EPSS score of <1% suggests exploitation is currently unlikely but still possible in targeted attacks. The flaw is not listed in CISA’s KEV catalog, indicating no mass exploitation is reported. The likely attack path is a CSRF request originating from an external site that a logged‑in administrator inadvertently visits, or from social‑engineering phishing. Successful exploitation would enable persistent, arbitrary script execution on the victim site, with a wide attack surface due to the plugin’s storage of user‑supplied data.