The Floatbox Plus plugin contains a Cross‑Site Request Forgery flaw (CWE‑352) that allows an attacker to submit a request as an authenticated user and force the plugin to store malicious JavaScript in the database. The stored script then executes in the browsers of all visitors who view the affected content, enabling theft of session data, defacement, or other malicious activity. The resulting Stored XSS undermines application integrity and potentially confidentiality of user data. The CVE documentation explicitly states the flaw leads to Stored XSS.

WordPress sites using the cybio Floatbox Plus plugin, versions from the earliest available release up to and including 1.4.4. No other vendors or product variants are listed.

The vulnerability has a CVSS score of 7.1, categorizing it as High severity. This vulnerability is a Cross‑Site Request Forgery (CWE‑352). The EPSS score is less than 1 %, indicating a low probability of exploitation in the near term, and it is not present in the CISA KEV catalog. Exploitation requires an authenticated user to be tricked into sending a forged request—an attack vector that is commonly feasible through embedded links or emails (inferred). Because the flaw leads to persistent script injection rather than immediate remote code execution, the risk is bounded to browsers of site visitors, but it can still facilitate broad user compromise if the site serves many users.