The Amazon Showcase WordPress plugin contains a Cross‑Site Request Forgery (CSRF) flaw that permits an attacker to inject malicious JavaScript into the plugin’s data store. When an authenticated user or privileged actor submits a crafted request, the plugin does not validate or sanitize the input, allowing the attacker’s script to be stored and subsequently executed in the browsers of all users who view the affected content. This stored XSS can be used to steal session cookies, deface the site, or launch further attacks.

All instances of the Aaron Forgue Amazon Showcase WordPress plugin with a version of 2.2 or earlier are vulnerable. No specific WordPress core version is mentioned, so any site running these plugin versions is affected.

The CVSS score of 7.1 indicates a high impact if exploited, while the EPSS score of less than 1 % suggests exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalog, implying no publicly known exploitation. Exploitation would require the attacker to trick a legitimate user into submitting a malicious request, typically via a crafted link or form that the user is prompted to visit or interact with. Once the payload is stored, it can be delivered to any subsequent user who accesses the affected content, making the risk significant for sites with many visitors.