This vulnerability exists because the WP Coder plugin accepts user input via a form that is not protected by a CSRF token. A malicious actor can create a crafted request that an authenticated site user unknowingly submits, causing arbitrary JavaScript to be stored or executed within the WordPress admin interface. If the script runs, it can steal session cookies, hijack the user’s session, or perform undetected actions on behalf of the user in the site’s management console. The weakness is formally identified by CWE‑352.

Wow‑Company WP Coder plugin for WordPress versions up to and including 3.6. Any WordPress site that has this plugin installed and enabled is susceptible, regardless of the surrounding theme or other plugins.

With a CVSS score of 7.1 the vulnerability is classified as high severity. The EPSS score is below 1 %, indicating that exploitation is currently uncommon, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote: the attacker needs only to generate a request that the victim’s browser will submit, and the malicious payload will execute in the context of an authenticated WordPress administrator or other privileged user. Because the flaw relies on a missing CSRF protection, the victim must have sufficient privileges to reach the affected form, which is typically an admin or editor role.