A Cross‑Site Request Forgery flaw in the Theme My Ontraport Smartform plugin enables attackers to inject malicious scripts that are stored in the database and later executed in browsers visiting the site. Such stored XSS can deface the site, steal session cookies, or steal user data, resulting in compromised confidentiality, integrity, and availability of the affected WordPress site. This weakness is a classic example of CWE‑352, which seeks to prevent unauthorized state‑changing requests.

The vulnerability applies to the itmooti Theme My Ontraport Smartform plugin for WordPress, specifically every release from the initial version up to and including 1.2.11. No higher‑version patches were noted in the data, so any instance running 1.2.11 or earlier is affected.

The CVSS v3 score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalog, implying no known widespread exploitation at this time. Exploitation requires a CSRF attack that results in a stored payload being saved to the database—likely achievable through a privileged user who can submit form content. If the site allows unprotected submissions, attackers may force this action without additional credentials by tricking an authenticated user in the browser.