The Naver Syndication V2 plugin allows attackers to inject malicious script that is stored in the plugin’s data store. Existing users with write access can submit input that is not properly neutralized, leading to a stored Cross‑Site Scripting flaw that can be triggered when a page is rendered. The advisory notes that the vulnerability can be exploited through a CSRF‑enabled pathway, meaning an attacker could trick a legitimate user into submitting malicious payloads while authenticated.

WordPress sites that have installed the Naver Syndication V2 plugin from badrHan, with versions ranging from the earliest released up through 0.8.3. Any site that uses this plugin is potentially vulnerable, regardless of the site’s overall WordPress version.

The CVSS score of 7.1 places this vulnerability in the high‑severity range, indicating significant impact should it be exploited. The EPSS score of less than 1% suggests that widespread exploitation is unlikely at present, yet the possibility remains, especially in environments where the plugin is highly exposed or runs with elevated privileges. The vulnerability is not currently listed in CISA’s KEV catalog, but the stored XSS payload could be used to deface pages, steal session cookies, or deliver malware to site visitors. Exploitation would typically require a user with sufficient privileges to submit form data, combined with a CSRF vector to bypass CSRF tokens or session checks, after which the script would execute in the context of any visitor who views the affected page.