The vulnerability allows a remote attacker to exploit a Cross‑Site Request Forgery flaw in the WordPress WPMU Ldap Authentication plugin. Through a crafted request that the site accepts as legitimate, the attacker can inject JavaScript code into persistent storage used by the plugin. When other users subsequently load the affected content, the injected script runs in their browsers, enabling the attacker to steal session cookies, deface the site, or perform other malicious actions. The weakness is a combination of CSRF and stored XSS, which together raise the risk of arbitrary client‑side code execution after a single forged request.

Any WordPress installation that has the Aaron Axelsen WPMU Ldap Authentication plugin installed with a version between the initial release up to and including 5.0.1 is affected. No other versions or products are listed as vulnerable.

The CVSS score of 7.1 indicates a medium‑high severity. The EPSS score of less than 1 % suggests that exploitation attempts are unlikely to be widespread or highly automated at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated or low‑privilege user able to send a crafted HTTP request that the plugin accepts as coming from an authenticated administrator, thereby executing arbitrary JavaScript on subsequent page loads.