The vulnerability is a CSRF flaw that allows an attacker to submit a crafted request to the Microblog Poster plugin, which then records the attacker’s payload as part of a microblog post. This stored payload is rendered on the site without sanitization, giving attackers a persistent XSS vector. An attacker could run any JavaScript in the context of users who view the malicious post, potentially stealing credentials, session cookies, or defacing the blog. This weakness is identified as CWE-352 in the CVE data.

The Microblog Poster plugin from Efficient Scripts, versions up to 2.1.6, are affected. The plugin is available for WordPress sites; any installation of an affected version, from the earliest available until 2.1.6 inclusive, is vulnerable. Unspecified lower bound (n/a) indicates all earlier builds. No other WordPress components are mentioned.

The CVSS score of 7.1 places the issue in the high severity range, yet the EPSS score is below 1%, suggesting few public exploits yet. It is not part of the CISA KEV catalog. The likely attack path requires the target to have an authenticated session with the plugin enabled; a visitor tricked into clicking a link could trigger the CSRF, letting the attacker embed malicious code that is then stored on the site. Attackers would benefit from a site with a sizable user base or from administrative access. Because the plugin stores untrusted input without proper encoding, any user who views the affected post can be impacted.