A cross‑site request forgery flaw in the Cazamba WordPress plugin permits attackers to inject malicious scripts into responses that are directly reflected back to the user. The vulnerability enables the execution of arbitrary client‑side code whenever a forged request is processed, potentially resulting in session hijacking, defacement or other malicious activities originating from the victim's browser. Based on the description, it is inferred that the exploitation relies on a victim being tricked into visiting a crafted URL that triggers the forged request.

The issue affects the Cazamba plugin from victoracano – all releases up to and including version 1.2. Users operating any of these versions are susceptible and should verify their installed version against the latest release.

Based on the description, it is inferred that the attack vector is a web‑based CSRF scenario requiring a victim user with a legitimate session to submit a forged request. The CVSS score of 7.1 reflects a high severity level, while an EPSS score of less than 1% indicates a currently low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The vector is web‑based; an attacker can craft a malicious request that a victim’s browser will unknowingly submit, triggering the reflected XSS payload. No privileged access is required beyond a user with a legitimate session, making the flaw broadly exploitable when the plugin endpoint is reachable.