The translit it! plugin contains a Cross‑Site Request Forgery flaw that permits an attacker to submit a crafted request which stores malicious script payloads in the site database. When a legitimate user later views content that incorporates the stored value, the browser will execute the script in that user’s context, leading to persistent cross‑site scripting. This vulnerability is categorized as CWE‑352 and grants attackers the ability to persistently inject arbitrary code and compromise user confidentiality, integrity, and potentially availability. The impact escalates if the attacker controls an account with administrative privileges or can target multiple users who view affected content.

All installations of the Ichi translit it! WordPress plugin with a version of 1.6 or earlier are affected, from the first released version through to 1.6 inclusive. No additional vendor or product names are listed, so any site hosting this plugin in that version range is at risk.

The CVSS score of 7.1 indicates a high severity. The EPSS score of <1% points to a very low probability of observed exploitation at this time, and the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector requires forging a request that an authenticated user sends, often initiated through a malicious link or email that causes the user to navigate to a page that triggers the vulnerable action. Once the payload is stored, it can affect any visitor who loads the content where the stored data is rendered. The overall risk to organizations using this plugin is moderate because exploitation demands a level of user interaction and privileged access, but the potential damage if successful makes prompt remediation important.