The vulnerability in the Import CDN-Remote Images plugin allows an attacker to perform a cross‑site request forgery that results in stored cross‑site scripting. The flaw exists because the plugin accepts arbitrary remote image URLs and does not protect the action with a proper nonce or authentication guard. An attacker can craft a malicious request that, when executed by an authenticated administrator or user, stores a script payload in the media gallery. When the attacker’s script is later rendered on the site, it runs with the privileges of the user who views the page, enabling defacement, data theft or session hijacking. This flaw is identified as CWE‑352.

The issue affects the Atakan Au Import CDN‑Remote Images WordPress plugin with any release up to and including 2.1.2. Sites using any earlier unreleased or experimental releases are also impacted. The vulnerability flows through the plugin’s import functionality which accepts remote CDN URLs from any user who can trigger a request to the plugin’s import endpoint.

The CVSS score of 7.1 places this vulnerability in the high‑severity range, indicating significant potential impact if exploited. The EPSS score of less than 1% suggests that, at this time, the likelihood of a coordinated exploitation effort is low, and it is not listed in the CISA KEV catalog. However, the attack vector is the attacker’s ability to host a malicious file on a CDN and induce an authenticated user to trigger its import, a scenario that requires the victim to be logged into the WordPress installation. Because the flaw allows the injection of arbitrary JavaScript, the damage could be widespread if the attacker successfully compromises a privileged user or any user with write access. The risk is therefore significant for sites that deploy the plugin without a recent update and for which administrators or contributors can access the import function.