The vulnerability stems from a Cross‑Site Request Forgery flaw that permits an attacker to submit a forged request to the VKontakte Cross‑Post plugin. The request contains malicious script that is then stored in the post content. When a normal site visitor views the post, the script executes in their browser, enabling the attacker to steal session cookies, deface content, or perform other client‑side attacks. This flaw classification aligns with CWE‑352 (CSRF).

The affected product is the WordPress plugin VKontakte Cross‑Post, published by oleglark. All releases up to and including version 0.3.2 are vulnerable. Any WordPress installation that has this plugin installed, regardless of site traffic size, is at risk.

The CVSS score of 7.1 indicates medium‑to‑high severity, while the EPSS score of less than 1% suggests that the likelihood of this vulnerability being actively exploited is currently low, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to orchestrate a CSRF attack, most likely against an authenticated administrator or user who can trigger the plugin’s post‑creation endpoint. Once the malicious payload is stored, any user who views the compromised content will be affected, making the attack vector effectively network‑based yet dependent on user interaction with the site.