The vulnerability allows an attacker to perform a cross‑site request forgery that results in stored cross‑site scripting. By tricking a legitimate user with authentication into submitting a crafted request, malicious scripts are inserted into the Notepads data stored by the plugin. Those scripts will execute in the browsers of any user who later views the affected notes, potentially enabling session hijacking, defacement, and theft of sensitive data. The weakness is a Cross‑Site Request Forgery flaw that escalates to persistent client‑side code execution.

Any WordPress installation that has the Dashboard Notepads plugin from swedish boy with a version of 1.2.1 or earlier. The plugin is listed as Dashboard Notepads 1.2.1 and earlier, through the checkpoint of the description.

The CVSS score of 7.1 indicates high impact. The EPSS score is less than 1%, suggesting current low exploitation probability but not negligible. The vulnerability is not listed in the CISA KEV catalog, implying no widely documented active attacks yet. The likely attack vector is a malicious website or email that coerces an authenticated user to visit a crafted URL, leveraging CSRF to inject a store‑time script. Configuration of secure X‑content‑type options and CSRF tokens would prevent exploitation, but the flaw persists in the affected plugin versions.