Cross‑Site Request Forgery allows an attacker to craft a request that submits malicious JavaScript to the OmniLeads plugin, which the plugin stores and later renders in the site’s pages. The stored script can execute in the browsers of any user who views the affected content, enabling defacement or theft of session data. The weakness is a classic stored XSS triggered by a lack of CSRF protection (CWE‑352).

The vulnerability exists in the WordPress plugin OmniLeads Scripts and Tags Manager, authored by danielmuldernl, and affects all installed copies from the earliest release through version 1.3. WordPress sites running this plugin without an upgrade are exposed.

With a CVSS v3 score of 7.1 the issue represents a high‑severity flaw, but the EPSS score is under 1 % and the flaw is not in the K e v catalog, indicating limited evidence of exploitation. Attackers would need to persuade a user to visit a crafted URL or otherwise trigger a CSRF payload, after which the stored script could run in subsequent page views. The lack of an official patch means the only reliable defense is to upgrade beyond 1.3 or remove the plugin. Until that is done, sites remain vulnerable to the potential of cross‑site data theft or site defacement.