The flaw is a Cross‑Site Request Forgery that allows a malicious actor to store a cross‑site scripting payload on the victim site. Once the payload is stored it can execute in the context of any user who visits the affected page, potentially leaking session cookies, hijacking accounts, or modifying page content. The weakness is identified as CWE‑352, representing a failure to verify that requests originate from legitimate users.

The vulnerability affects the Mergado Pack plugin for WordPress, all releases up to and including version 4.2.1. Earlier versions are also impacted. This includes any WordPress site that has installed the plugin in those versions and has enabled write or configuration capabilities that the plugin modifies.

With a CVSS score of 7.1 the vulnerability represents a high‑risk condition. The EPSS score indicates that, at the moment of analysis, the likelihood of exploitation is very low—less than 1 percent—yet the attack surface remains present because a CSRF attack can be launched from a compromised user or by grabbing a session cookie. The vulnerability is not listed in the CISA KEV catalog, but that does not reduce the potential impact. Exposing stored XSS via a CSRF path allows attackers to inject persistent malicious code, which can be leveraged for credential theft, defacement, or further lateral movement on the site.