Cross‑Site Request Forgery in the Kento Splash Screen WordPress plugin lets an attacker make the site store arbitrary JavaScript. The vulnerability is a CSRF flaw that, when triggered, results in a persistent XSS payload. Any subsequent visitor to the site will execute the script in their browser, leading to potential credential theft, site defacement, or lateral movement within the web application. The flaw is classified as CWE‑352, highlighting insufficient request validation.

The plugin is sold by PluginsPoint as the Kento Splash Screen add‑on for WordPress. All editions from the first release up to and including version 1.4 are affected. Developers and site administrators using any of those versions should review and remediate accordingly.

With a CVSS score of 7.1, the vulnerability carries a medium‑high severity. Its EPSS score of less than 1 % indicates a low probability of exploitation in the near term, and it is not listed in the CISA KEV catalog. Nevertheless, the flaw permits an attacker to inject malicious code that is stored and then served to every visitor, creating a persistent threat. The most likely exploitation path involves a malicious link or payload that forces an authenticated administrator or privileged user to submit a forged request, after which the script is persisted and subsequently delivered to all site visitors.