The vulnerability is a Cross‑Site Request Forgery flaw that enables an attacker to embed a malicious payload into the WordPress Google News plugin. When a forged request is accepted as authenticated, the payload is stored in the site's database and later rendered in the browser, allowing execution of arbitrary scripts in the context of the website. This stored XSS can be triggered when the content is viewed by any user, potentially compromising the confidentiality and integrity of the site. The issue is classified as CWE‑352.

The flaw affects the Olav Kolbu Google News WordPress plugin for all releases from initial deployment through version 2.5.1 inclusive. Any site running a version prior to 2.5.2 is vulnerable, regardless of the underlying WordPress core version.

The CVSS base score of 7.1 places the flaw in the high‑impact range, while a low EPSS score of less than 1% indicates that exploitation is currently infrequent. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the weakness remotely by submitting a forged request that bypasses the plugin’s CSRF protection, causing the plugin to store the malicious payload. Subsequent rendering of that content on any page that displays the plugin’s data delivers the stored script to site visitors, enabling arbitrary code execution in the visitor’s browser.