The Rishi On Page SEO + Whatsapp Chat Button plugin contains a Cross‑Site Request Forgery flaw that permits an attacker to inject and persist malicious JavaScript code. When the vulnerable plugin processes the forged request, the script is stored and later executed in any browser that renders the affected content, resulting in a Stored XSS vulnerability. This type of flaw gives an attacker the ability to run arbitrary code in users' browsers whenever they view the compromised content.

WordPress installations that are using the On Page SEO + Whatsapp Chat Button plugin up to and including version 2.0.0 are affected. The vulnerability applies to all versions from the first release (unknown) through 2.0.0, meaning any site that has not upgraded past this point is at risk.

The CVSS score of 7.1 indicates a high severity rating. The EPSS score of less than 1% shows that, at the time of this analysis, the probability of an active exploit is very low but not zero. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to perform a state‑changing request against the plugin’s authenticated interface; the likely attack vector is a CSRF request executed under a user with sufficient privileges to access the plugin’s admin interface. No other conditions are specified in the CVE data. The exploitation requires the plugin’s CSRF protections to be compromised or absent, which is what the flaw provides.