The CVE points to a CSRF flaw in the WP PHPList phplist‑form‑integration plugin that permits attackers to perform privileged actions on behalf of an authenticated user. The weakness is classified as CWE‑352. The plugin does not enforce a CSRF token for its form submissions, enabling an attacker to craft a request that forces a logged‑in user to submit data. No explicit statement is made that the plugin stores user‑submitted data without sanitization, so the potential for data persistence is not confirmed in the description, though the title suggests a stored XSS possibility.

WordPress sites running the WP PHPList phplist‑form‑integration plugin version 1.7 or older. The vendor is jesseheap, product name WP PHPList. Administrators should confirm if this plugin is deployed and if the version in use is below 1.8.

The CVSS score of 7.1 indicates moderate to high risk. The EPSS score of less than 1% implies exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation is known. An attacker would likely craft a malicious link or embed a form that triggers the CSRF, requiring a target user to be authenticated with sufficient privileges to act on the site. If the attack succeeds, it could result in loss of integrity or execution of harmful code, with the latter possible if malicious payloads are stored and later rendered in other users’ browsers.