The WP Admin Theme plugin contains a flaw that permits an attacker to submit a crafted request and cause the plugin to store malicious JavaScript as part of its configuration. The stored script then executes whenever an administrator or privileged user views the affected page, allowing the attacker to steal session cookies, deface content, or perform other malicious actions in the victim’s browser. This issue is a classic example of a Cross‑Site Request Forgery attack that leads to stored client‑side code injection, as identified by CWE‑352.

WordPress sites that have the WP Admin Theme plugin, version 1.0 or earlier, installed. The vulnerability is vendor‑specific to the plugin written by shmish111 and affects any WordPress installation that loads that plugin without an update beyond the stated cutoff.

The CVSS score of 7.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that, as of the last assessment, exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog, implying no active, broadly known exploits. The attack vector is inferred to be a web‑based CSRF request that must be performed while an administrator’s session is active; anyone who can send a crafted link or embed the request in a phishing email to a logged‑in admin could trigger it.