The exploit is a Cross‑Site Request Forgery that permits an attacker to submit a crafted request that stores malicious JavaScript code within a WordPress site. Once stored, the script is returned to visitors who render the affected pages, executing the attacker’s code in their browsers. The impact is that any user who accesses the polluted content may have their session information exposed, or the site content could be altered by the injected script. This effect is typical of stored XSS and is a direct consequence of the capability to inject client‑side code that is later served by the web application.

The flaw exists in the Kathleen Malone Find Your Reps WordPress plugin, affecting every version up to and including 1.2. WordPress installations that install this plugin and do not apply a patch remain vulnerable.

The CVSS score of 7.1 indicates medium‑to‑high severity. The EPSS score of < 1% suggests exploitation is relatively unlikely, and the issue is not listed in the CISA KEV catalog. The likely attack vector is CSRF, meaning the attacker must craft a request that an authenticated user will unknowingly submit, which then stores the malicious payload. Once the storage action succeeds, any visitor to the site will receive the injected script, potentially leading to widespread compromise of users who view the affected content.