The vulnerability is a CSRF flaw that allows an unauthenticated attacker to force an authenticated WordPress user to submit a crafted request to the Libro de Reclamaciones y Quejas plugin. The flaw enables the injection of arbitrary JavaScript into the plugin’s form data, which the plugin stores and later renders as part of site content, resulting in a stored cross‑site scripting vulnerability. Based on the description, it is inferred that the plugin does not properly validate CSRF tokens or nonces, permitting the malformed request to be accepted without user consent.

WordPress sites running the Renzo Tejada Libro de Reclamaciones y Quejas plugin, any version up to and including 1.0, are affected. The vulnerability applies to all installations where this plugin is active, regardless of site configuration.

The CVSS score of 7.1 indicates a high severity flaw. The EPSS score of less than 1% signifies a very low probability of exploitation at the time of reporting, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires a victim who is authenticated to the WordPress site and who follows a malicious link or submits a compromised form, allowing the attacker’s payload to be stored and executed when the site renders the data. Attackers cannot compromise the server directly; the risk is confined to the victim’s browser session but can lead to widespread site compromise if the stored payload is displayed to many users.