The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw in the SpruceJoy Cookie Consent & Autoblock plugin that permits arbitrary JavaScript to be stored and executed within the web page. The stored XSS can execute in the context of the cookie consent banner, allowing an attacker to run malicious script that may steal session cookies, deface the site, or perform further attacks against users who visit the site. The CWE classification is 352, reflecting the lack of proper CSRF protection.

WP sites running the SpruceJoy Cookie Consent & Autoblock for GDPR/CCPA plugin are affected. Versions up to and including 1.0.1 are explicitly vulnerable, while earlier releases are not referenced. Any WordPress installation that has this plugin installed, regardless of the user role, could be compromised if the plugin is exploited. No other product or version information was provided beyond the stated range.

The CVSS score of 7.1 places the flaw in the "High" severity range, indicating substantial potential impact. The EPSS is listed as < 1%, meaning the exploit probability is very low on the current dataset, and the vulnerability is not currently recorded in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be a CSRF performed via a crafted POST or GET request that the plugin fails to protect against. Once the malicious JavaScript is stored, it is served on subsequent page loads, enabling arbitrary client‑side code execution. Given the moderate CVSS and low EPSS, the risk is moderate but should be mitigated promptly to prevent future exploitation.