A CSRF flaw in the Mike spam‑stopper plugin permits an attacker to submit a request that stores malicious script code in the database, resulting in stored XSS when any user views the affected content. The attacker could inject arbitrary JavaScript that executes in the context of the victims’ browsers, leading to theft of session cookies, defacement, or redirection to malicious sites. The weakness is identified as CWE‑352, but the impact manifests as a stored XSS vulnerability.

The vulnerability affects all installations of Mike’s spam‑stopper plugin with version 3.1.3 or earlier. This includes every WordPress site that has not yet upgraded beyond 3.1.3. No specific WordPress core versions are mentioned, but any site running the affected plugin is at risk.

The CVSS base score of 7.1 indicates a high impact. The EPSS score of less than 1% shows that the overall exploitation probability is very low at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw is a CSRF that leads to stored XSS, an attacker can trigger it with a single forged request and the malicious payload persists until deleted. The attack path requires the attacker to convince a user with sufficient privileges—such as an administrator or editor—to visit a crafted URL or submit a forged form. The CSRF vector indicates that exploitation can occur over the network in a typical user session, potentially making the vulnerability more difficult to mitigate via network controls alone.