The User Session Synchronizer plugin for WordPress contains a Cross‑Site Request Forgery flaw that allows an attacker to store malicious script code in the plugin’s data store. When a victim subsequently views the page or any page that loads the stored content, the injected JavaScript executes in the victim’s browser, potentially compromising user accounts, stealing credentials, or defacing the site. The weakness is a classic CSRF‑to‑stored‑XSS vector, as described by CWE‑352.

WordPress sites that have the User Session Synchronizer plugin installed, version 1.4.0 or earlier. The vulnerability affects all builds up to and including release 1.4.0 and does not apply to later releases.

The CVSS score of 7.1 indicates a medium‑to‑high severity. The EPSS score of less than 1% suggests the probability of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by sending a forged request that includes malicious payload to the plugin’s endpoint; the plugin then stores the payload and later renders it to users, resulting in stored XSS only when at least one user accesses the affected page. The attack requires the ability to induce a browser to send a request to the target site, which is typical for CSRF attacks.