Cross-Site Request Forgery allows an attacker to send a malicious request that behaves like an authorized user, potentially inserting JavaScript into the site content. The vulnerability, a known weak point identified as CWE-352, can lead to a stored cross-site scripting condition whereby any visitor to the compromised site receives and executes attacker‑supplied code, exposing them to data theft, defacement, or further phishing. The likely attack path involves forging a request to the Content Security Policy Pro plugin’s endpoint that does not properly verify the request origin or a valid CSRF token, leading to the malicious payload being saved in the database.

Vendors affected are thapa.laxman; the product is the Content Security Policy Pro WordPress plugin. All releases up to and including version 1.3.5 contain the flaw. No other versions are currently documented as affected.

The CVSS score of 7.1 reflects a moderate‑to‑high severity, while the EPSS score of less than 1% indicates a low probability of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed active exploitation yet. An attacker would need the ability to send requests with administrative privileges or to trick a privileged user into confirming a form, after which the malicious content would be stored and later served to site visitors. Given the moderate severity and low exploitation likelihood, monitoring and patching remain the best defenses.