A Cross‑Site Request Forgery flaw in the OrigoThemes Extra Options – Favicons plugin allows an attacker to submit a crafted administrative request that stores malicious JavaScript in the website’s database. When an authenticated administrator subsequently views the affected page, the script executes in the administrator’s browser, enabling code execution with the admin’s privileges. The consequence is typical stored XSS damage, including session hijack, defacement, or redirection to malicious sites.

Any WordPress deployment that has the Extra Options – Favicons plugin installed in a version up to and including 1.1.0 is affected. The issue originates in the plugin’s handling of favicon inputs, and no specific sub‑versions are excluded.

The CVSS score of 7.1 marks this as a medium‑to‑high severity issue, while an EPSS score of less than 1% indicates a relatively low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. It can be exploited via a CSRF attack that requires the victim to be an authenticated administrator; the attacker merely needs to lure the administrator to a maliciously crafted page that submits the stored payload. The lack of an easily discoverable public exploit does not diminish the representational danger, as the attacker can embed arbitrary JavaScript into the stored data through the CSRF vector.