This vulnerability is a CSRF exploit that lets an attacker trigger a reflected XSS attack against users of the IP2Location Variables WordPress plugin. Through a crafted request that bypasses the plugin’s lack of CSRF protection, a malicious script can be injected into the response and executed in the victim’s browser. The injected script could steal session cookies, deface the site, or perform other malicious actions on behalf of the user. The flaw is categorized as CWE‑352, indicating improper request forgery protections.

The issue affects the IP2Location Variables plugin for WordPress, version 2.9.5 and earlier. The product is distributed by IP2Location. No specific sub‑versions were listed; all builds from the initial release up to and including 2.9.5 are vulnerable.

The CVSS score of 7.1 signifies a high severity. The EPSS score is below 1%, indicating that at the time of analysis the likelihood of real‑world exploitation was considered low, and the vulnerability is not listed in CISA’s KEV catalog. However, because the flaw requires a CSRF attack, an adversary who can trick a logged‑in user into visiting a malicious link can trigger the reflected XSS injection. No additional preconditions are listed; a valid user session is sufficient once the attacker controls the request source.