An attacker can exploit a CSRF flaw in the "Read More Copy Link" plugin to inject malicious JavaScript that becomes permanently saved in the website’s content, turning the site into a vector for persistent XSS attacks. The vulnerability arises from insufficient validation of requests that trigger the copy‑link action, allowing an unauthenticated request from a victim’s browser to masquerade as a legitimate admin operation and store the attacker’s payload.

The issue impacts the ElbowRobo Read More Copy Link plugin in all versions from the first release up to and including 1.0.2. Site administrators using any of these versions are susceptible until a newer release is applied.

With a CVSS score of 7.1 the flaw is considered high severity. The EPSS score of less than 1% indicates that exploitation events are currently rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path requires an end‑user to visit a crafted link or otherwise load a page that triggers the vulnerable request, so active user interaction or a compromised site is typically needed. Once injected, the stored script runs in the context of future visitors, granting the attacker read access to session data, credential theft, or defacement.