The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to inject a persistent script into the Pro Rank Tracker WordPress plugin. Once inserted, the stored script is executed whenever the affected plugin content is rendered, enabling an attacker to steal session cookies, deface the site, or hijack user accounts. This is a stored XSS issue with the potential to affect all browsers that visit the compromised pages.

WordPress installations running the Pro Rank Tracker plugin at version 1.0.0 or earlier. Any site that has the plugin installed and has not been upgraded beyond this version is susceptible.

With a CVSS score of 7.1 the vulnerability is considered high severity, and while the EPSS score of less than 1 % indicates a low current exploitation likelihood, the influence of the weakness means it could be targeted by attackers once discovered. The plugin is listed as not included in the CISA KEV catalog, but the combination of CSRF and stored XSS still presents a significant risk to affected sites. The attack vector is likely through ordinary web interactions where the attacker can cause a privileged user to submit a crafted request, leading to script injection. Any compromise leads to persistent cross‑site scripting that serves future user sessions.