The vulnerability appears as a Cross‑Site Request Forgery that permits an attacker to store malicious JavaScript in the plugin’s database. When a site visitor loads a page that pulls content from the affected plugin, the embedded script is executed in the visitor’s browser. This can lead to data theft, session hijacking, or defacement, affecting the confidentiality, integrity, and availability of the web application. The weakness is identified as CWE‑352, a CSRF flaw that enables stored XSS.

The flaw targets the Ydesignservices Multiple Location Google Map WordPress plugin in any version up to and including 1.1. No specific sub‑versions are listed, so all releases from the earliest available through 1.1 are considered vulnerable. Users must verify the installed plugin version and check for a newer release that contains the fix.

The CVSS score is 7.1, indicating a high severity. The EPSS score is below 1%, suggesting that exploitation is currently rare but still possible. The vulnerability is not in the CISA KEV catalog, so there is no confirmed exploitation data. The attack vector is likely web‑based, where an attacker leverages the CSRF mechanism to inject a payload that is later served as stored XSS content. Once the payload is stored, any visitor to the affected pages can be compromised.