The Alink Tap WordPress plugin is vulnerable to Cross‑Site Request Forgery because nonce validation on its settings page is missing or incorrect. An unauthenticated attacker can submit a forged request to the plugin’s admin page, causing the plugin to update its configuration and inject arbitrary JavaScript code that will run in the context of the site’s visitor or administrator. This stored cross‑site scripting flaw is classified as CWE‑352 and can lead to credential theft, defacement or the execution of further malicious payloads by unsuspecting site users.

The plug‑in, developed by todoapuestas under the name Alink Tap, is affected in all versions up to and including 1.3.1. WordPress sites that have installed any of those versions are vulnerable. No other systems or plugins are listed as impacted in the advisory.

The CVSS score of 6.1 indicates a moderate overall severity. The EPSS score of less than 1% shows that exploit activity is expected to be very low, and the advisory is not currently listed in the CISA KEV catalog. Attackers would need to trick an authenticated site administrator into clicking a crafted link or submitting a forged form; thus the vulnerability requires user interaction to be exploited. While the exploitation probability is low, the potential impact of a successful XSS attack—credential compromise and site defacement—makes this a noteworthy risk for any WordPress site running the vulnerable plug‑in.