Cross‑Site Request Forgery (CSRF) in AdminGeekZ Varnish WordPress allows an attacker to submit a malicious payload that is saved by the plugin. The stored data is rendered as part of web pages, enabling a stored XSS attack. An attacker can inject JavaScript that runs in the context of any site visitor, potentially stealing cookies, hijacking sessions, defacing pages, or performing other unauthorized actions. This weakness is categorized as CWE‑352.

The vulnerability affects the AdminGeekZ Varnish WordPress plugin, specifically all releases up to and including version 1.7. The affected component is the plugin’s handling of user‑supplied content. Users with the ability to submit or edit content through the plugin can be impacted. All WordPress sites that have installed this plugin and have not upgraded past version 1.7 are at risk.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of < 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to target users of the plugin with the ability to submit content; the attack vector is likely a forged HTTP request sent in the context of an authenticated user or a visited page. Because it is a CSRF‑to‑stored‑XSS flaw, the threat requires an outlet to inject malicious scripts and may only succeed on sites that render the stored payload without adequate sanitization. Organizations should therefore treat this as a critical patching issue pending an update.