The vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to store malicious script code that will run in the browsers of users who view the affected content. This is a classic stored XSS flaw, classified under CWE‑79. The attacker can use the plugin’s image import functionality to inject JavaScript that persists after the request completes, enabling a range of browser‑side attacks such as session hijacking or theft of sensitive data. The attack, while not explicitly detailed in the description, is inferred to be facilitated by a CSRF vector that forces a logged‑in user to submit a crafted import request.

The affected product is the WordPress Blogger Image Import plugin for WordPress sites. Versions up to and including 2.1 are vulnerable; the issue is noted to affect "Blogger Image Import: from 2.1 through n/a," which covers any release equal to or older than 2.1 on WordPress installations that use Poco’s plugin.

The CVSS score of 7.1 indicates a high severity vulnerability, and the EPSS score of less than 1% shows a low probability of exploitation at present. It is not listed in the CISA KEV catalog. Based on the description, the likely attack path is a remote attacker initiating a CSRF request that causes a privileged user to trigger the import with malicious payloads; no additional privileges or local access are required. Consequently, the risk is moderate to high, but the actual threat level is tempered by the low exploitation likelihood.