A Cross‑Site Request Forgery flaw enables an attacker to inject a malicious payload into the plugin’s settings page. The payload is stored by the plugin and rendered on the site without proper escaping, resulting in Stored XSS. An attacker can execute arbitrary client‑side code in the context of anyone who visits the front‑end page that displays the plugin, potentially compromising user data, hijacking sessions, or defacing content. The underlying weakness is classified as CWE‑352, corresponding to the CSRF vulnerability that allows the attacker to control the stored data. The confirmed CVSS score of 7.1 indicates a high severity of the weakness.

The vulnerability affects the WordPress plugin titled 百度分享按钮 by cuckoohello. All releases from the initial version up to and including 1.0.6 are impacted. No later version information is provided, so any installation of a version 1.0.6 or older is considered vulnerable.

The vulnerability is exploited via CSRF, allowing an attacker to submit a forged request that writes malicious JavaScript into the plugin’s settings page. Because the stored payload is rendered unescaped on the front‑end, a visitor to any page that displays the plugin will execute the code in their own browser session. The CVSS score of 7.1 classifies the flaw as high severity, and the EPSS score of less than 1% indicates that, as of this analysis, the probability of exploitation is currently very low. The CVE is not listed in the CISA KEV catalog, suggesting no known widespread exploitation has been reported. Nonetheless, any site that still uses a vulnerable version faces the same risk if an attacker can force an administrator to send the CSRF request or if the site is susceptible to cross‑site requests via a logged‑in attacker.