A Cross‑Site Request Forgery flaw in the WordPress cTabs plugin allows an attacker to insert malicious JavaScript that is stored and later executed whenever users view the affected content. The injected script can read page cookies, exfiltrate data, or perform client‑side attacks on any user visiting the compromised tab. The weakness is listed as CWE‑352 and is a typical case of persistent client‑side injection that can be leveraged for defacement, credential theft, or phishing. This flaw elevates a non‑privileged user’s request to a privileged one by forged credentials, permitting the embedded code to run under the victim’s context.

The affected product is bbodine1’s cTabs plugin for WordPress. All released versions up to and including 1.3 are impacted. No more detailed version list is supplied, but the advisory states that the vulnerability affects "n/a through <= 1.3."

The scenario carries a CVSS score of 7.1, indicating moderate‑to‑high severity. The EPSS score is reported as less than 1 %, implying a very low but non‑zero chance of exploitation in the near term. The vulnerability is not yet listed in the CISA KEV catalog. The likely attack path involves an attacker crafting a CSRF request that successfully submits malicious markup through an authenticated admin or content editor interface, thereby storing the XSS payload for future page loads. Because the flaw requires a valid session with the ability to modify tabs, the potential to affect only users with content‑management privileges is inferred from the description.