The Board Election plugin contains a cross‑site request forgery flaw that lets an attacker force an authenticated user to submit a malicious request, which the plugin then stores as a user‑controlled script. When other users later view the stored content, the script executes in their browsers, leading to potential defacement, credential theft, or session hijacking. This stored XSS capability compromises confidentiality and integrity on the affected site.

The vulnerability affects Pascal Casier's WordPress Board Election plugin for versions from inception through 1.0.1 inclusive. Any WordPress installation running an affected version should be verified.

Based on the description, it is inferred that the attack vector involves an attacker prompting a legitimate site user to submit a malicious request, which the plugin then stores as cross‑site scripting. The CVSS score of 7.1 classifies the issue as high severity, and an EPSS score of less than 1% suggests a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Nonetheless, this exploitation path requires only that a legitimate site user be tricked into submitting a request, a condition that is easy for an attacker to achieve in a targeted attack. Administrators should treat this as a high‑risk condition until mitigated.