The Post Author plugin for WordPress contains a CSRF vulnerability that permits an attacker to inject malicious JavaScript into stored content. If an authenticated or, if CSRF protections are absent, an unauthenticated user crafts a request, the plugin may save and render arbitrary script into a page. The compromised page would then execute the script in the context of any visitor, potentially leaking credentials or hijacking sessions. This is a classic example of CWE‑352 combined with stored XSS, enabling persistent cross‑site attacks.

WordPress sites running the Post Author plugin version 1.1.1 or earlier. The plugin is authored by David Shabtai and appears under the name “Post Author” in the WordPress plugin repository. No specific WordPress core version is mentioned; the issue applies to any WordPress installation hosting these plugin versions.

The CVSS score of 7.1 reflects moderate‑to‑high severity. The EPSS score of less than 1% suggests that, as of this analysis, exploitation attempts are rare, and there is no evidence of widespread attacks. The vulnerability is not listed in the CISA KEV catalog, reinforcing that it has not yet been widely abused. Based on the description, it is inferred that the likely attack path involves a visitor who is an authenticated user (for example, a site administrator) being tricked into submitting a crafted request, or a breached account used to insert malicious code that persists across the site. Given the CSRF nature, an attacker who can get a legitimate user to click a link or load a malicious page could trigger the exploit. Overall risk is moderate, but the potential impact of stored XSS is high enough to warrant prompt remediation.