The vulnerability is a CSRF flaw in the Custom Links On Admin Dashboard Toolbar WordPress plugin that allows an attacker to insert malicious scripts into the plugin’s configuration. A logged‑in administrator who follows a crafted link can cause the plugin to store arbitrary JavaScript, which is later executed whenever other administrators view the dashboard. This stored XSS can lead to credential theft, session hijacking, or other malicious actions on the site. The weakness is classified as CWE‑352.

The flaw affects the Custom Links On Admin Dashboard Toolbar plugin by Victor Barkalov, versions up through 3.3. Any WordPress installation that has this plugin version or earlier is vulnerable. The issue has been reported for all releases from the earliest until 3.3 inclusive. The patch is required for those running these versions.

The CVSS score of 7.1 places the issue in the high‑severity range, but the EPSS score of less than 1 % indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to entice an authenticated administrator to visit a malicious link or otherwise submit a forged request; the attack occurs in the browser once the admin is logged in to the site. This suggests that the primary vector is a site‑wide administrative interface and that success depends on user interaction.