The PPO Call To Actions plugin for WordPress, released by Ngô Thắng IT, contains a Cross‑Site Request Forgery flaw that allows an attacker to submit requests on behalf of an authenticated user. The title and the vendor reference suggest that the forged request can store malicious content, resulting in a stored cross‑site scripting attack that would execute in the browsers of any user who views the affected content. This could lead to theft of credentials, defacement, or further compromise of the site.

All installations of the PPO Call To Actions plugin built by Ngô Thắng IT running versions from the initial release through 0.1.3 are impacted. No specific sub‑versions beyond the upper bound of 0.1.3 are listed, so any version equal to or older than the referenced maximum is considered at risk.

The CVSS score of 7.1 indicates a moderate to high severity, reflecting the potential for significant harm if the flaw is enacted. The EPSS score of less than 1% shows that at the time of analysis the likelihood of exploitation is very low. The vulnerability is not catalogued in the CISA KEV list, further suggesting a lower threat level. As a CSRF weakness, an attacker would need to coerce a privileged user into visiting a malicious site or otherwise trigger a crafted request, limiting the attack surface but still posing a risk to sites with active administrators.