The Real Seguro Viagem plugin for WordPress contains a CSRF flaw that permits an attacker to submit a forged request to the site’s backend. Because of this, the attacker can force the plugin to store user‑supplied input. The stored data is later rendered without proper escaping, leading to a stored cross‑site scripting (XSS) vulnerability. An attacker who succeeds can inject arbitrary JavaScript that will run in the browsers of any visitor who accesses pages that display the injected content, enabling session hijacking, defacement, or distribution of malware.

The flaw affects all releases of Real Seguro Viagem up to and including version 2.0.5. The plugin is available for installation in WordPress sites that accept it from the WordPress.org repository or other sources. No specific operating system or web server is required beyond standard WordPress hosting.

The CVSS base score is 7.1, reflecting moderate severity. The EPSS score of less than 1 percent indicates a low probability that the vulnerability has been actively exploited yet. The vulnerability is not listed in the CISA KEV catalog. The attack would require the attacker to lure a privileged user or server to send a crafted request, utilizing CSRF, thereby making the primary attack vector likely remote through a web browser or automated script. Once the XSS code is stored, any visitor to the affected content could be impacted. Given the low EPSS, exploitation is not yet widespread, but the impact could be severe if an attacker were to inject malicious content.