The vulnerability allows an attacker to inject malicious JavaScript into the vote data via a CSRF request that the Tribulant Gallery Voting plugin accepts without verification. While the CVE data explicitly mentions stored XSS, it does not state the authentication requirement for the victim; based on the nature of CSRF, an authenticated user must be tricked into visiting a crafted page. This inference is drawn from the described CSRF mechanism, not directly from the CVE entry.

All WordPress installations that have the Tribulant Gallery Voting plugin version 1.2.1 or older are affected, regardless of theme or other plugins. The flaw applies to every enabled voting instance where users can submit votes that are stored via the plugin.

The CVSS score of 7.1 signals high severity, but the EPSS score of less than 1% indicates a low probability of exploitation currently. The flaw is not listed in the CISA KEV catalog. The likely attack path involves an attacker creating a malicious webpage that submits a crafted CSRF request to the plugin’s endpoint while a site visitor is authenticated; the plugin records the injected script, which then executes for any user who later views the vote data. The exploitation requires user interaction but can lead to widespread compromise if the site has many users.