This vulnerability is a Cross‑Site Request Forgery that allows an attacker to persist arbitrary JavaScript through the Universal Analytics Injector plugin. The lack of anti‑CSRF protection, identified as CWE‑352, results in stored cross‑site scripting. Once malicious code is saved, any authenticated visitor who subsequently loads the affected page will execute the script, potentially hijacking sessions, stealing cookies, or modifying page content. The flaw resides in the plugin’s administrative interface, meaning that attacker control requires an authenticated user to submit a crafted request.

The issue affects WordPress sites that use the hoyce Universal Analytics Injector plugin version 1.0.3 or earlier. No other plugins or versions are listed, so only installations of this plugin at those versions are vulnerable.

The assigned CVSS base score of 7.1 reflects a high severity. The EPSS score of less than 1% indicates that the vulnerability has not yet attracted widespread exploitation and it is not present in the CISA KEV catalog. Attackers would need to construct a CSRF request, typically from a malicious site or script, targeting an authenticated user with access to the plugin’s settings. Successful exploitation results in the stored script being served to all subsequent visitors, creating a persistent threat that is hard to mitigate without a patch.