The WordPress Logging Service plugin (v1.5.4 and earlier) contains a Cross‑Site Request Forgery vulnerability that allows an attacker to inject persistent malicious scripts into the site’s stored content. If an authenticated user is tricked into submitting a specially crafted request, the malicious payload is stored and later executed in the browsers of all users that view the affected content, resulting in data theft, defacement, or further session hijacking. The weakness is identified as CWE‑352, indicating an insecure REST or form endpoint lacking proper CSRF protection.

This flaw affects any WordPress site that has the Jan Štětina WordPress Logging Service plugin installed with a version number of 1.5.4 or lower. No other WordPress components are listed as susceptible. The vulnerability is present across all builds from the earliest release up through the 1.5.4 release, with no version details prior to that, implying the flaw existed from the plugin’s inception.

The CVSS score of 7.1 places the issue in the high‑severity band, while the EPSS score of less than 1% reflects a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, signaling it has not yet been observed in the wild. Attackers would need to lure an authenticated WordPress user to submit a forged request, a condition that is foreseeable but would generally require social engineering or exploitation of other site weaknesses. Once the malicious script is stored, it can affect all visitors, making the impact potentially widespread across the site’s user base.