This vulnerability allows an attacker to store malicious JavaScript in the WP Background Tile plugin’s data through a Cross‑Site Request Forgery attack. Once stored, the script is rendered in the context of any visitor or administrator who loads the plugin, enabling actions such as credential theft, defacement, or arbitrary script execution. The weakness is a classic stored XSS exposed by circumvention of CSRF controls, leading to a loss of confidentiality and potential integrity and availability issues for the affected website.

The WordPress plugin WP Background Tile from vendor sammyb is affected in all versions through 1.0. Each installation of this plugin, when using version 1.0 or earlier, is vulnerable until the issue is resolved. No further versions are known to be impacted.

The CVSS score of 7.1 indicates a medium‑to‑high severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is low but not negligible. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to require a crafted HTTP request that leverages a missing CSRF token; an attacker would need to convince a privileged administrator to visit a malicious URL or supply a forged request. Once the request is processed, the injected script is persisted and will execute for all site users.