The vulnerability is a Cross‑Site Request Forgery flaw that lets an attacker submit a crafted request to the WordPress Wp Custom CMS Block plugin. Because the plugin does not validate the request origin, the attacker can inject malicious JavaScript which is then stored in the plugin’s content fields. When visitors load the affected page, the stored script executes with the authority of the visitor, enabling session hijacking, content defacement or other malicious actions. The weakness is identified as CWE‑352.

Affected systems include installations of the Wp Custom CMS Block plugin from versions up to and including 2.1. This plugin is developed by Ahsanullah Akanda and is listed in the WordPress plugin repository. Sites running any of these versions are vulnerable; newer releases after 2.1 are not impacted according to the available data.

The CVSS score of 7.1 describes a medium‑to‑high severity event, and the EPSS score of less than 1% indicates exploitation is still very unlikely but not impossible. The vulnerability is not currently listed in the CISA KEV catalog, so no active exploitation campaigns have been reported yet. However, because the flaw relies on a single forged request, an attacker who can coerce a user to visit the site or perform a credential‑stealing attack could inject persistent code. The absence of a formal workaround means mitigation must rely on applying a patch or disabling the plugin.