A Cross‑Site Request Forgery vulnerability in the Rajesh Broken Links Remover WordPress plugin permits an attacker to inject and store malicious JavaScript. The flaw allows two independent steps: a forged request changes the plugin’s internal link list and stores attacker‑supplied code that will run in the browsers of any visitor to the affected site. The consequence is a classic stored Cross‑Site Scripting event, which can lead to session hijacking, credential theft, or defacement of the site. The weakness is identified as an improper CSRF protection (CWE‑352).

WordPress sites using the Rajesh Broken Links Remover plugin of version 1.2.2 or earlier are affected. The vulnerability applies to all releases from the initial version up to and including 1.2.2; no specific sub‑versions are differentiated.

The CVSS score of 7.1 indicates a high severity with both confidentiality and integrity in risk. The EPSS score of less than 1% suggests that, at present, the exploit is unlikely to be widespread in the wild, yet the impact of a successful attack remains severe. The official CISA KEV listing is absent, meaning the vulnerability has not yet been confirmed in active exploitation campaigns. Likely, an attacker would need to be a WordPress user with sufficient privileges to invoke the plugin’s link removal functionality or trick an admin into executing a crafted request. Since the flaw relies on CSRF, an unauthenticated attacker could force an authenticated user to submit the malicious request, making the vulnerability exploitable in a realistic threat scenario.