The vulnerability is a Cross‑Site Request Forgery that allows an attacker to store malicious script code in the Rio Video Gallery plugin. Once stored, the payload will execute in the browsers of users who view the affected gallery content, providing the attacker with the ability to deface, steal session data, or perform other downstream attacks. The weakness is catalogued as CWE‑352, a classic CSRF flaw that enables unauthorized state‑changing requests.

The plugin, available through riosisgroup under the name Rio Video Gallery for WordPress, is affected from its initial release through version 2.3.6. All installations of the plugin that have not been upgraded beyond 2.3.6 are at risk.

The assessed CVSS score of 7.1 reflects a high severity moderate‑to‑high impact with potential data exposure and defacement. The EPSS score of < 1 % indicates that, as of the current analysis, exploitation is unlikely yet still plausible, especially in environments where administrators may be exposed to CSRF vectors. The issue is not listed in CISA KEV, but the description indicates a CSRF vulnerability that could be exploited to persist malicious code. Based on the description, it is inferred that an attacker could trick a logged‑in user with editing rights in the gallery context into visiting a crafted request that submits unauthorized input, triggering the stored XSS. Thus an attacker only needs the victim to be authenticated and to have gallery editing privileges.