A Cross‑Site Request Forgery flaw in the WP Copy Media URL plugin can be abused to inject persistent malicious scripts into the site’s database, allowing attackers to execute code in the browsers of any user who views the affected content. The vulnerability enables the storage of attacker‑controlled scripts which are later rendered in page contexts, leading to potential theft of user credentials, session hijacking, or defacement of the site. This weakness is identified as CWE‑352.

Vulnerable systems include WordPress sites running Ashish Ajani’s WP Copy Media URL plugin version 2.1 or earlier. The plugin affects media URL handling functions and stores any injected payload until rendered by the site’s front‑end.

The flaw carries a CVSS score of 7.1, indicating high severity, but the EPSS score is less than 1%, suggesting a low likelihood of widespread exploitation at this time. It is not listed in the CISA KEV catalog. The vulnerability allows attackers to send CSRF requests that store malicious scripts within the plugin, which are later returned to site visitors. Specific prerequisites for exploitation, such as required user authentication or social engineering tactics, are not detailed in the advisory.