Hacklog Remote Attachment permits an attacker to send forged requests that cause the plugin to store malicious JavaScript in its database. When a user later views a page containing the stored payload, the script runs in the victim's browser, enabling session hijacking, credential theft or defacement. The weakness is a classic CSRF debuff (CWE‑352). Because the payload is stored, the impact persists across all future visits to the affected content and constitutes a cross‑site scripting risk, not just a temporary credential compromise.

WordPress sites running the Hacklog Remote Attachment plugin version 1.3.2 or older, regardless of the WordPress core version. The plugin is distributed by HuangYe WuDeng and is installed by site administrators who allow users or abusive third parties to add remote attachments.

The CVSS score of 7.1 signals a high severity, and the EPSS score of under 1% indicates that known exploitation is rare but possible. The flaw is not listed in the CISA KEV catalog, suggesting limited public exploitation. Attackers most likely target sites where the admin or the plugin's attachment endpoint is accessible, and may exploit it by tricking an authenticated user into sending a crafted request. The weakness is a CSRF vector, ordinarily mitigated by anti‑CSRF tokens; absence of such protection enables the attacker to forge the form submission that triggers the stored‑XSS payload.