The More Link Modifier plugin for WordPress contains a Cross‑Site Request Forgery flaw that permits attackers to inject arbitrary client‑side scripts into the site. By forging a request that an authenticated administrator executes, the attacker can store malicious JavaScript in the page content. This stored XSS can lead to theft of session cookies, defacement, or execution of arbitrary code in the victim’s browser, all of which compromise confidentiality, integrity, and availability of user interactions.

The vulnerability affects the WordPress plugin More Link Modifier from the developer pyko, specifically all releases from the earliest available version through 1.0.3 inclusive. Site owners running these plugin versions are at risk and should verify their installation.

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability has not been listed in CISA’s KEV catalog, but a successful exploitation requires an attacker to get an authenticated WordPress administrator to perform the forged action, implying that privilege escalation or compromised credentials increase the threat. The attack vector is inferred to be via a crafted link directed at an admin user, and the actual exploitation would rely on the absence of CSRF token validation.