The vulnerability is a Cross‑Site Request Forgery flaw that permits an attacker to store malicious JavaScript payloads in the plugin’s data repository. When a victim loads a page where the data is rendered, the injected script executes in the victim’s browser, which can compromise account sessions, harvest cookies, or deface content. The weakness is categorized as CWE‑352 and results in a stored XSS on the front‑end of the site.

All WordPress installations using Eli’s Related Posts Footer Links and Widget plugin version 1.2.04.20 or earlier are affected. Any site that has not upgraded beyond this version remains vulnerable regardless of other plugin or core updates.

The CVSS score of 7.1 indicates a high severity, but the EPSS score is less than 1% showing a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, which further suggests limited active exploitation. The most probable attack path involves a legitimate administrator being tricked into submitting a forged request that injects the payload, after which the payload is stored and later served to all visitors. If the site runs an unpatched version, an attacker could leverage the stored XSS to hijack user sessions or perform phishing attacks against legitimate users.