The WP Mail Options plugin contains a Cross‑Site Request Forgery flaw that permits an attacker to store malicious JavaScript in the site’s content. When an authenticated user follows a crafted link, the plugin accepts the payload without verification and preserves it for future page loads. Stored XSS allows the attacker to run arbitrary code in the victim’s browser, enabling cookie theft, session hijacking or defacement. The vulnerability aligns with CWE‑352 and carries a CVSS score of 7.1, indicating a high potential for exploitation once the condition is met.

The flaw affects the Soli WordPress plugin WP Mail Options, version 0.2.3 and earlier. Users running any of these versions are at risk.

The vulnerability is scored moderate to high, but the EPSS is below 1 %, suggesting that widespread exploitation is presently unlikely. The attack requires an authenticated session and a crafted URL, so the typical vector is a CSRF attempt embedded in an email or external site. Once an attacker tricks a logged‑in user into visiting the link, the plugin will persist the XSS payload and the victim’s browser will execute it with the user’s privileges. The flaw is not listed in CISA’s KEV catalog, but the combination of CSRF and stored XSS remains a serious threat to site integrity and user credentials.