The vulnerability is a Cross‑Site Request Forgery that permits an attacker to inject malicious scripts that are stored on the site. An attacker who can forge a request that bypasses the plugin’s CSRF protection can cause the plugin to save a payload that will execute in the browsers of any user who views the affected content, potentially enabling credential theft, session hijacking, or defacement. The weakness is identified as CWE‑352. No evidence of exploitation in the wild is known, but the flaw allows persistent attacker control of the site’s front end.

WordPress users running the Import Users to MailChimp plugin by Sana Ullah, any version up to and including 1.0. The issue exists for all installations that have this plugin active, regardless of the WordPress core version.

The likely attack vector is a forged request initiated by an unsuspecting user clicking a malicious link, inferred from the CVE description that the flaw is a CSRF vulnerability permitting stored XSS. The CVSS score of 7.1 reflects a moderate‑to‑high severity due to impact on confidentiality, integrity, and availability. The EPSS score of < 1 % indicates that the probability of exploitation is low at the time of analysis, and the vulnerability is not yet listed in the CISA KEV catalog. However, the lack of CSRF safeguards means that an attacker with a phishable link or ability to trick a user into visiting a crafted URL could achieve the exploit in a relatively straightforward manner. Therefore, while the overall risk is tempered by low exploitation probability, the potential damage warrants prompt action.