A Cross‑Site Request Forgery (CWE-352) vulnerability exists in the anmari amr personalise WordPress plugin that enables an attacker to insert and store arbitrary JavaScript code into the site. The stored XSS payload executes in the browsers of anyone who visits affected pages, potentially leading to credential theft, session hijacking, defacement, or the delivery of additional malicious content. The vulnerability hinges on the ability to trick the server into processing a forged request without valid user tokens, which underscores the importance of proper CSRF mitigation.

The flaw affects all installed instances of the anmari amr personalise plugin with a version number of 2.10 or earlier. The plugin is typically distributed through the WordPress Plugin Directory and can be found under the vendor name anmari. Users with the plugin enabled on their WordPress sites are at risk until the issue is remedied.

The CVSS score of 7.1 indicates a medium to high severity, while the EPSS score of less than 1% suggests the probability of exploitation is currently low. However, the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the flaw is exploitable through a CSRF (CWE-352) attack, an attacker only needs to entice a legitimate user or an authenticated administrator to visit a crafted URL, making it relatively easy to achieve the stored XSS payload. The impact is confined to the affected site but can compromise all users who view the compromised content.