A cross‑site request forgery vulnerability allows an attacker to inject malicious script into the Advanced Tag Lists plugin, which is then stored and executed for all users who view the affected pages. This stored XSS can lead to session hijacking, defacement, or phishing attacks, compromising the confidentiality, integrity, and availability of the site. The flaw is rooted in missing CSRF protection (CWE-352) and inadequate input sanitization when tag content is saved, enabling the persistence of injected script. The vulnerability is rated a CVSS score of 7.1, indicating a moderate‑to‑high impact, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require an authenticated user with permission to create or edit tags, though an attacker could engineer a CSRF request to an authenticated session to achieve the same.

WordPress sites that have the blueinstyle Advanced Tag Lists plugin installed at version 1.2 or earlier. The vulnerability applies to all releases from the earliest available version through 1.2 inclusive, affecting any WordPress installation using this plugin.

With a CVSS of 7.1, the flaw poses a substantial risk to sites that deploy the affected plugin. While the EPSS indicates a low exploitation likelihood, stakeholders should treat the issue with the same seriousness as any stored XSS case. Because the attack vector depends on CSRF, an attacker can craft a request that leverages an authenticated user's session to inject code. Even without an existing patch, the combination of CSRF and stored XSS can be leveraged to compromise the entire site.