The vulnerability is a Cross‑Site Request Forgery issue that allows an attacker to inject malicious scripts into the plugin's data store. When a forged request is accepted, the stored script is rendered in the administrator or user interface, giving an attacker the ability to execute arbitrary code in the victim’s browser. This can lead to credential theft, session hijacking, or defacement of the site. The weakness is in the plugin’s lack of CSRF protection and failure to sanitize user input, classified as CWE‑352.

The flaw exists in the WordPress plugin Scheduled, developed by bhoogterp, for all versions from the initial release up to and including version 1.0. Site administrators using any of these versions are at risk if the plugin remains active.

Based on the description, it is inferred that an attacker could craft a forged POST request targeting the plugin’s storage endpoint, possibly by luring an authenticated administrator to a malicious URL or exploiting an existing session. The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1 % suggests low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Because this is a stored XSS, once malicious content is injected it would persist and affect any future page loads rendering the content for all users with access to those pages.