This bug is a Cross‑Site Request Forgery flaw that can result in stored cross‑site scripting within the Social Profilr WordPress plugin. An attacker sending a forged request can inject malicious JavaScript that will be stored in the plugin’s data and later executed in the browsers of users who view the affected content, potentially allowing data theft, session hijacking, or other malicious actions. The weakness is classified as CWE‑352, indicating that the plugin accepts a state‑changing request without adequately verifying the origin or authenticity of the request. Proper exploitation would likely require the attacker to lure a legitimate user to a crafted URL or form that the user submits without realizing the malicious payload is present.

Impact affects the Social Profilr WordPress plugin version 1.0 or earlier. The plugin is integrated into WordPress sites and is responsible for displaying social network profiles. All sites running any version of the plugin through 1.0 are vulnerable. No specific WordPress core versions are mentioned in the CVE, so any WordPress installation using this plugin is at risk.

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% shows a very low probability of widespread exploitation at the time of this analysis. The vulnerability is not currently listed in the CISA KEV catalog. Likely exploitation would involve a victim clicking a crafted link or submitting a form that carries the malicious payload, at which point the plugin’s lack of CSRF protection would persist the XSS script in the site’s data. Attacks could be carried out remotely, as the vulnerability does not require local privileges or authentication to the site’s backend.