This vulnerability is a Cross‑Site Request Forgery that enables an attacker to store malicious script code in the plugin’s configuration or content. Once the payload is stored, it is executed in the browsers of any user who views the affected page, potentially exposing them to credential theft, session hijacking, or defacement. The weakness corresponds to CWE‑352, reflecting the lack of proper request validation.

The flaw affects the Sana Ullah jQuery Dropdown Menu plugin for WordPress, specifically all releases from the initial version through version 3.0. Any WordPress site that has installed an affected instance is vulnerable. No description of the exact affected versions beyond <= 3.0 is provided, so any deployment of these releases should be considered at risk.

The base‑score CVSS of 7.1 indicates a moderate‑to‑high level of risk. However, the EPSS score of less than 1% suggests that the likelihood of real‑world exploitation is currently low. Because the flaw is a CSRF issue, an adversary would need to trick a legitimate user, or an administrator, into visiting a malicious link or loading a crafted resource from a third‑party site. Since the vulnerability results in stored XSS, successful exploitation can affect every visitor of the site, making it a potentially widespread threat if the attacker chooses to target the plugin’s administrative interface or the drop‑down menu rendering.