A Cross‑Site Request Forgery flaw in the DSmidge HTTP to HTTPS link changer by Eyga.net allows an attacker who can trick an authenticated administrator into issuing a request to the WordPress site to inject arbitrary JavaScript. The malicious code is stored in the content database and executed for every user who views the affected page, providing a persistent attack surface for session hijacking, data theft, or defacement. The weakness is a classic CSRF that results in Stored XSS, making the potential impact severe for the confidentiality and integrity of site content and the browsing session of all visitors.

WordPress installations that have installed the DSmidge HTTP to HTTPS link changer by Eyga.net plugin at any version up to 0.2.4. No specific PHP or server levels are required; the vulnerability exists solely in the plugin code when enabled on a WordPress site.

With a CVSS score of 7.1 the vulnerability is considered High severity. The EPSS score of less than 1% indicates a very low current likelihood of automated exploitation, and the issue is not listed in CISA's KEV catalog. However, because the vector is CSRF, a determined attacker who can target site administrators or users with active sessions can still achieve the stored XSS payload. The attack does not require privileged access to the filesystem; it simply needs the ability to generate a forged request, which can often be delivered via malicious emails or compromised sites.