The vulnerability is a Cross‑Site Request Forgery issue that allows an attacker to inject malicious script that is stored in the system, resulting in a Stored Cross‑Site Scripting exploit. Based on the description, it is inferred that the plugin fails to validate request origin before processing user input, so an attacker can craft a request that is accepted and stored as part of the plugin’s data. An adversary who succeeds can then have the script executed in the browser of any user who views the affected content, potentially exfiltrating credentials or manipulating the user interface.

The affected product is the RSS News Scroller plugin for WordPress developed by vimal.ghorecha. Versions from the initial release up through 2.0.0 are vulnerable. WordPress sites that have this plugin enabled and are running any of those versions are impacted.

The CVSS base score of 7.1 indicates a high severity and the EPSS score of less than 1% suggests that the probability of exploitation is currently very low but non‑zero. Because the issue is not listed in CISA’s KEV catalog, there is no evidence of widespread attacks yet. The likely attack vector is a web‑based CSRF request sent to the site, which an attacker can trigger by enticing a privileged user to visit a crafted URL or embed malicious content in a site that calls the plugin’s endpoint. Successful exploitation would allow the attacker to inject script that runs in the context of all WordPress administrators who view the affected content.