The vulnerability is a cross‑site request forgery issue in the Dutch van Andel Custom List Table Example plugin that enables an attacker to inject malicious script into user‑supplied requests. By exploiting the CSRF flaw, an attacker can cause a victim’s browser to execute arbitrary JavaScript when the victim loads a crafted link or page, leading to data theft, session hijacking, or defacement. The weakness corresponds to a reflected XSS flaw and can be triggered from any authenticated or unauthenticated page that processes the vulnerable request payload.

The defect resides in the Custom List Table Example plugin distributed by Dutch van Andel. All instances of the plugin with version numbers up to and including 1.4.1 are vulnerable. No detailed sub‑version information is provided beyond the generic “<= 1.4.1” indicator.

The CVSS score of 7.1 rates this flaw as high severity, and the EPSS score of under 1 % indicates that exploitation attempts are expected to be very rare at this time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a CSRF attack carried out by delivering a crafted request to a logged‑in user, which then reflects malicious script back to the browser. Successful exploitation would require successful CSRF execution and the browser’s acceptance of the reflected payload.