The vulnerability is a Cross‑Site Request Forgery flaw in the Zack Katz Debt Calculator WordPress plugin that allows an attacker to trigger actions on behalf of a logged‑in user. The plugin’s lack of proper permission checks combined with its accepting user‑supplied data enables a malicious actor to insert scripts into the application’s data store. While the official description confirms a CSRF issue, title indicates this can lead to stored XSS; this is inferred from the naming but not explicitly detailed in the CVE description, so the exact scope of XSS remains uncertain. If the stored XSS succeeds, the attacker could execute arbitrary JavaScript in the browsers of any user who views the affected content, compromising confidentiality, integrity, and potentially descending into session hijacking or data theft.

The affected system is the WordPress Debt Calculator plugin authored by Zack Katz, affecting all releases from the earliest available version up to and including version 1.0.1. No other vendors or products are listed.

The CVSS score of 7.1 categorizes the flaw as high impact, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it via a CSRF vector, typically by enticing a logged‑in user to visit a crafted URL or form. No additional authentication is required beyond normal user credentials, making this a potentially high business risk for sites with administrative users or any users who might inadvertently trigger the exploit.