The CNZZ&51LA for WordPress plugin contains a Cross-Site Request Forgery flaw that allows an attacker to forge requests on behalf of authenticated users. In addition to the CSRF issue, the vulnerability can result in stored cross‑site scripting, which enables the attacker to inject malicious scripts that execute in victims’ browsers. The primary impact is the compromise of confidentiality and integrity of data exchanged on the site, and potential loss of user trust.

This vulnerability affects all installations of the jprintf CNZZ&51LA for WordPress plugin up to and including version 1.0.1. Any WordPress site that has not updated beyond this release is susceptible.

The CVSS score of 7.1 indicates a high severity, but the EPSS score of < 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. If an attacker can force a forged request that embeds malicious code, the stored XSS payload can be executed when any visitor loads the affected page, producing client‑side code execution. The likely attack vector requires the attacker to convince a legitimate user to visit a malicious link or submit a crafted form so that a forged request is sent with the user’s credentials.