The WordPress Terms of Use plugin contains a Cross‑Site Request Forgery (CSRF) weakness that allows an attacker to submit arbitrary content, which the plugin stores and later renders as part of a page without sanitization. This creates a stored Cross‑Site Scripting (XSS) vulnerability. Rooted in the CSRF flaw (CWE‑352) the attacker can inject malicious JavaScript. Any user who loads the affected page after the malicious content has been stored can inadvertently execute the injected JavaScript, potentially compromising the confidentiality and integrity of user data within the site.

The vulnerability is present in all releases of the Terms of Use plugin from Strategy11 Team up to and including version 2.0. WordPress sites that have this plugin installed are affected; the issue does not involve the core WordPress software.

The CVSS score of 7.1 denotes a high severity, while the EPSS score of less than 1 % indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV. The likely exploitation path involves an attacker crafting a malicious request that triggers the CSRF action, causing the plugin to store the attacker‑supplied script. Based on the description, it is inferred that an attacker must be able to send a request that the plugin accepts and that at least one authenticated user subsequently visits the page to trigger the stored script, but the CVE data does not explicitly state that an authenticated user is required.