A Cross‑Site Request Forgery flaw in the WP Admin Custom Page plugin permits an attacker to submit a forged request that includes a malicious script. The script is stored by the plugin and later displayed whenever the affected custom page is viewed. Because the payload is executed in the context of any user who sees the page, it can be used to steal authentication tokens, deface site content, or perform other malicious actions. The CVE description does not detail downstream effects, but the nature of stored XSS suggests the risk of credential theft or broader compromise when a visitor or administrator loads the page.

Every WordPress installation that has the thunderbax WP Admin Custom Page plugin version 1.5.0 or earlier is potentially vulnerable. This includes any site where the plugin is active and enabled, regardless of other security controls or site configurations.

The CVSS score of 7.1 indicates a high severity vulnerability, yet the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, meaning no publicly known active exploitation has been reported. Based on the description, it is inferred that the forged request must be made from a page that the target user visits, implying the attacker needs to entice a user with the appropriate session—likely an authenticated administrator—to perform the request. Once the script is stored, it will run for any subsequent visitor or authenticated user viewing the affected custom page, with no additional authentication required for the XSS execution itself.