The 1 Decembrie 1918 plugin for WordPress contains a Cross‑Site Request Forgery vulnerability that allows unauthenticated attackers to forge requests to the plugin’s settings page. Because the page does not include proper nonce validation, an adversary can trick a site administrator into clicking a crafted link and thereby inject malicious JavaScript that is stored in the plugin’s configuration. This stored Cross‑Site Scripting can execute in the context of any visitor who views the affected page, potentially exposing session cookies, defacing the site or facilitating further attacks. The weakness is identified as CWE‑79.

The vulnerability affects the WordPress plugin 1 Decembrie 1918, distributed by the vendor OlarMarius. All plugin releases with a version tag up to and including 1.dec.2012 are vulnerable, while releases newer than that date are presumably fixed. WordPress sites that have any of those versions installed are at risk.

The CVSS base score is 6.1, reflecting a medium severity risk. The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild at this time, and the issue is currently not listed in the CISA KEV catalog. Nevertheless, the attack vector requires an unauthenticated attacker to obtain a forged request that the site administrator will execute; phishing or social engineering is the typical prerequisite. Because the flaw allows persistent script injection, mitigation should be treated with priority.