The vulnerability lies in the JSON Structuring Markup plugin for WordPress, where a stored cross‑site scripting payload can be implanted through a cross‑site request forgery attack. An attacker can force a logged‑in user to submit a crafted request that stores a malicious script in the plugin’s configuration. When the stored payload is later rendered on the site, the script runs in the context of visitors, potentially stealing credentials, defacing content, or executing further malicious actions. The weakness is classified as a CSRF flaw that results in persistent script injection. The impact is limited to environments that use the affected plugin and have authenticated users whose actions can be tricked into uploading the payload.

WordPress installations that have the JSON Structuring Markup plugin version 0.1 or earlier, released by Sami Ahmed Siddiqui. Sites running these versions are at risk if the plugin is active and exposed to authenticated users.

The CVSS score of 7.1 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a low but not nonexistent likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalogue. Exploitation requires a user with sufficient privileges to submit a request to the plugin endpoint, often achieved by a phishing link or a malicious form. Once the stored payload is persisted, any visitor to a page that renders it will execute the injected script.