This vulnerability allows an attacker to perform a cross‑site request forgery that results in stored cross‑site scripting. By exploiting the missing CSRF token, a malicious payload can be persisted in the plugin’s data, which will be rendered later to any visitor. The primary impact is that affected users who view the stored content can have their browsers tricked into executing arbitrary JavaScript, potentially leading to cookie theft, session hijacking, defacement, or other client‑side compromises.

The affected system is the WordPress plugin Bible Embed (jd7777). Versions from the initial release up through 0.0.4 are vulnerable. The vulnerability exists in all n/a through <=0.0.4 releases.

The CVSS score of 7.1 indicates moderate‑to‑high severity. The EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require a victim to be logged into a site where the plugin is installed or to have the ability to force a logged‑in user to submit a forged request. Once the request is processed, the malicious script is stored and will execute whenever the affected content is viewed. Given the nature of stored XSS, the impact can affect any site user and potentially all visitors to the site.