This vulnerability is a Cross‑Site Request Forgery flaw in the WordPress plugin WP Calais Auto Tagger that can be exploited to store malicious JavaScript in the site’s content. By forging a request from a logged‑in user, an attacker can inject user‑visible code that will run in the browsers of visitors. The impact is the ability to steal session cookies, deface pages, or perform further phishing attacks, as it results in stored cross‑site scripting.

The issue affects the WordPress plugin WP Calais Auto Tagger from unknown early versions through version 2.0. It is distributed by dangrossman under the plugin name "WP Calais Auto Tagger" and is available on the WordPress plugin repository.

The CVSS base score of 7.1 indicates high severity. The EPSS score of less than 1 % suggests that, while the flaw is serious, it is currently predicted to be exploited infrequently. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector would be a web‑based CSRF attack that requires a victim to be authenticated on the site; an attacker can craft a link containing the malicious payload and entice the victim to click it. Once the forged request reaches the target, the plugin processes the data and stores the injected script, which is then rendered in subsequent page loads for all users.