The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to inject malicious JavaScript into data stored by the MemeOne plugin. When the stored content is rendered, the injected script executes in the browsers of all visitors, enabling cookie theft, defacement, or other client‑side attacks. The flaw persists in the database, meaning the impact continues until the compromised data is removed or neutralized.

All WordPress installations running the MemeOne plugin through version 2.0.5 are affected. The earliest known build is unspecified, so any deployment that has not upgraded past 2.0.5 remains vulnerable.

The CVSS score of 7.1 indicates a high severity. The EPSS score of < 1% represents a low but non‑zero likelihood of exploitation. The issue is not yet listed in CISA’s Known Exploited Vulnerabilities catalog. The most likely attack path is via a forged request constructed by a malicious web page or email that tricks a logged‑in user into submitting data that contains the malicious script. Once stored, the script runs on every page that displays the content, compromising the confidentiality and integrity of all site visitors. The vulnerability can be exploited by any user with permissions to submit content or by an attacker who can force a victim to trigger the CSRF request.