A Cross‑Site Request Forgery flaw exists in the Internal Link Builder plugin for WordPress that permits an attacker to perform unauthorized actions on behalf of any authenticated user. The vulnerability is capable of injecting malicious JavaScript that persists within the site—which can be executed whenever a user visits the affected page—thereby giving an attacker the ability to steal credentials, deface content, or perform further attacks on the site. Although the description focuses on CSRF, the indicated stored XSS outcome suggests that payload execution can be achieved through the plugin’s data handling functions.

The issue affects the Alessandro Piconi Internal Link Builder plugin for WordPress, specifically versions n/a through 1.0. If a site is running one of these releases, the vulnerability is present and exploitable unless mitigated. No other vendors or product families are listed as impacted.

The CVSS score of 7.1 reflects a moderate‑to‑severe threat, while the EPSS value of less than 1 % indicates that exploitation is currently considered unlikely but not impossible. The vulnerability is not identified in the CISA KEV catalog, suggesting it has not been observed in widespread attacks. The likely attack vector is web‑based, requiring a victim to be logged in as a user with permissions to utilize the plugin’s administrative functions. If an attacker can persuade a legitimate user to perform a specific action, the CSRF mechanism could submit malicious data that is stored and later executed as part of the site’s content.