A Cross‑Site Request Forgery flaw in the URL‑Preview‑Box plugin permits an unauthenticated attacker to execute a crafted request that stores a malicious payload in the plugin’s database entry. The stored script is then rendered in the browser of any user who views the affected content, leading to persistent cross‑site scripting. The vulnerability is rooted in deficient CSRF protection (CWE-352) and results in a stored malicious script that can compromise user sessions and data.

The WordPress plugin URL‑Preview‑Box from the vendor mraliende is affected. All releases up to and including version 1.20 are vulnerable; no later version is listed as impacted.

The vulnerability’s CVSS score of 7.1 indicates a moderate to high risk. Although the EPSS score is less than 1‑% and the vulnerability is not listed in CISA’s KEV catalog, the exploit pathway requires only that an attacker convince a victim to follow a crafted link or submit a form that triggers the stored payload. Once in place, the stored XSS can run arbitrary JavaScript in the context of the site, potentially leading to credential theft or defacement. Given the simplicity of the CSRF trigger and the persistence of the XSS payload, the risk remains significant for sites that have not yet upgraded or mitigated the flaw.