The DX-auto-publish plugin contains a Cross‑Site Request Forgery flaw that allows an attacker to submit a specially crafted request on behalf of a logged‑in administrator. The plugin then stores the supplied payload in a database field and renders it during normal page output. Because the malicious code is preserved, users who view the affected pages are subjected to Stored Cross‑Site Scripting, which can lead to theft of session cookies, defacement, or execution of arbitrary JavaScript in the victim's browser. This weakness is identified as CWE‑352 (Cross‑Site Request Forgery).

The vulnerability is present in every released version of the DX‑auto‑publish WordPress plugin up to and including 1.2. WordPress sites that have installed this plugin without updating to a newer version are at risk. The affected product is the DaxiaWP DX‑auto‑publish plugin, any deployment of which uses a version number less than or equal to 1.2. No other WordPress components are reported to be impacted.

The CVSS score of 7.1 indicates a high severity for the combination of a low authentication barrier and the persistent nature of the XSS payload. The EPSS score of less than 1% suggests that, as of the latest analysis, exploitation attempts are infrequent. The vulnerability is not listed in CISA’s KEV catalog, implying no publicly known, widespread exploitation. The likely attack path requires the attacker to first lure a privileged user to a crafted link or form submission, which then coerces the user’s browser into sending a POST request that stores the malicious data. Once stored, any visitor who views the corresponding page will execute the embedded script.