The vulnerability is a Cross‑Site Request Forgery that allows an attacker to inject a stored malicious script into the WordPress database via the Right Click Disable OR Ban plugin. Once the admin authorizes a forged request, the payload becomes part of the site’s content and is executed in the browsers of all visitors. This can lead to defacement, phishing, or credential theft for users, compromising confidentiality and application integrity. The weakness is classified as CWE‑352.

A WP Life right‑click‑disable‑or‑ban plugin, versions up to and including 1.1.17, is affected. Any WordPress installation that has this plugin installed and active on a server running a vulnerable version is at risk.

With a CVSS score of 7.1 the vulnerability is moderately severe. The EPSS score of less than 1 % indicates a low probability of exploitation at present, yet the lack of a defensive token makes the attack vector trivial for an attacker who can coerce an authenticated admin into visiting a crafted URL. The vulnerability is not listed in the CISA KEV catalog, but should still be addressed promptly because the impact to site users can be significant. The attack requires an authenticated administrator but any user with that privilege can be lured to trigger the forged request, making the exploitation path straightforward once privileged access is available.