WordPress users of the Steveorevo Domain Theme plugin face a Cross‑Site Request Forgery vulnerability that can be abused to store malicious JavaScript. The flaw allows an attacker to trick an authenticated user—likely an administrator—into executing a request that injects a script into the site’s content, an inference drawn from the CSRF nature of the vulnerability. Once stored, the payload runs in visitors’ browsers, enabling cookie theft, defacement, or further phishing activities. The problem arises from improper validation of incoming data and missing anti‑CSRF checks, classified under CWE‑352.

The issue affects the Steveorevo Domain Theme WordPress plugin up to and including version 1.3. All sites that install or keep this plugin on an active WordPress installation are potentially compromised. No further sub‑product variants are listed.

The CVSS score of 7.1 reflects a moderate vulnerability that permits code execution via a browser. The EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation, and the flaw is not listed in the CISA KEV catalog. Exploitation likely requires an authenticated administrator to unknowingly trigger the CSRF request; this inference follows from typical CSRF patterns, though the CVE description does not explicitly state the privilege requirement. Success results in stored XSS that can harvest credentials, hijack sessions, or modify site content.