The No Disposable Email plugin for WordPress contains a CSRF vulnerability that permits an attacker to insert arbitrary JavaScript into the site’s stored content. The stored XSS can execute when ordinary site visitors load the affected page, enabling session hijacking, defacement, or malicious redirects. This flaw originates from missing CSRF protection during form submissions that modify stored data, allowing an unprivileged user to inject script payloads.

Any WordPress site that has installed the No Disposable Email plugin version 2.5.1 or earlier is vulnerable. The plugin is distributed by a developer under the name philippe, and the issue applies to all releases from the first version to 2.5.1. Sites running later versions are presumably unaffected.

With a CVSS score of 7.1, the vulnerability is considered high impact. The EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not present in CISA’s KEV catalog. An attacker most likely would deliver a malicious link or email that, when opened by a site administrator, performs a CSRF request to the plugin’s update endpoint, thereby storing malicious script. The attack requires the victim to have sufficient privileges to process the stored content, but does not need elevated rights beyond normal content management roles.