The Error Notification plugin for WordPress contains a Cross‑Site Request Forgery flaw that enables an attacker to submit malicious requests to the plugin’s error‐logging endpoints. By exploiting this flaw, an attacker can embed arbitrary JavaScript that is saved within the plugin’s error logs and executed whenever any user views those logs, resulting in stored cross‑site scripting. This creates a high‑severity compromise of user sessions and site data.

The vulnerability affects all versions of the Error Notification plugin by Taras Dashkevych, from the earliest release through version 0.2.7. Any WordPress installation that has the plugin installed and enabled and that runs a version 0.2.7 or earlier is impacted.

The CVSS score of 7.1 indicates a high risk. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA's KEV catalog. Attackers would execute the CSRF vector by tricking a browser into sending a forged request—typically through a malicious link or embedded image—while the victim is authenticated to the WordPress site or remains an active user. The stored XSS payload then runs in the victim’s browser, potentially stealing credentials or hijacking sessions.