The NewsBoard Post and RSS Scroller plugin contains a Cross‑Site Request Forgery flaw that allows an attacker to inject malicious JavaScript into the plugin’s storage mechanism. A victim who visits a specially crafted page while logged into the site can trigger the vulnerable action, causing the script to be stored and subsequently executed in the context of any user who views the affected content. This gives the attacker the ability to steal session cookies, hijack accounts, deface the site, or spread further malware. The weakness is classified as CWE‑352, a classic CSRF issue.

All installations of the NewsBoard Post and RSS Scroller plugin version 1.2.12 and older are affected. The vulnerability applies to every NewsBoard Plugin installation operating any of these versions.

With a CVSS base score of 7.1 the flaw is considered high‑severity. The EPSS score is below 1%, indicating a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack is likely performed through a CSRF exploit, requiring the victim to be authenticated to the target site and to visit a malicious URL or embedded form. If the attacker succeeds, stored XSS can lead to credential theft or complete site compromise.