The vulnerability is a CSRF weakness that allows a logged-in user to submit crafted requests to the what3words Address Field plugin, causing to store arbitrary JavaScript in its configuration. As the stored code is rendered when the plugin's interface or accompanying front-end component loads, the flaw provides Stored XSS that could steal credentials, deface the site or facilitate further attacks. The weakness corresponds to CWE-352 and is classified as a moderate to high severity risk (CVSS 7.1).

The affected software is the WordPress plugin what3words Address Field (3-word address validation field). All releases up to and including version 4.0.15 are vulnerable; newer releases (4.0.16 and later) contain the fix.

The CVSS score of 7.1 indicates that the vulnerability can cause significant damage if exploited, yet the EPSS score of less than 1% shows that the likelihood of real-world exploitation is very low at present. The flaw is listed as not present in CISA's KEV catalog. Attackers would need to trick a site administrator or other privileged user into visiting a malicious link that performs a CSRF request, which then stores malicious code. Once stored, the code runs in the context of the plugin and any user who views the affected interface, enabling persistent cross-site scripting and potential credential theft or defacement.