This vulnerability is a Cross‑Site Request Forgery (CSRF) flaw that permits an attacker to inject arbitrary content into the WordPress WP2LEADS plugin. Once the attacker has gained the victim’s authenticated session or lures the victim to visit a crafted link, the malicious input is accepted and stored by the plugin. When end users view the affected content, the injected data is rendered as executable code, leading to a stored Cross‑Site Scripting (XSS) attack. The flaw violates the defect “Improper Neutralization of Stored Cross‑Site Scripting” (CWE‑352) and undermines the confidentiality, integrity, and availability of the hosted website.

WordPress installations using the WP2LEADS plugin version 3.5.0 or earlier are affected. The back‑end component referred to as ‘Saleswonder Team: Tobias WP2LEADS’ is specifically vulnerable; no other plugin or system components are listed as impacted.

The assigned CVSS score of 7.1 categorizes the risk as high; however, the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not present in the CISA KEV catalog, suggesting it has not yet been widely leveraged by adversaries. The attack vector is via a crafted request that an authenticated user will unknowingly submit, meaning that an attacker only requires the ability to entice a legitimate user to click a link or submit a form. No network‑level exploitation or privilege escalation is required, reducing the overall effort for an attacker but still allowing significant damage if exploited.