Cross‑Site Request Forgery in Mindstien Technologies Recent Posts From Each Category plugin can be used to trigger Stored Cross‑Site Scripting. The flaw allows an attacker to submit a forged request that is processed by the site’s server, resulting in malicious code being stored in the plugin’s data and executed in members’ browsers. This can lead to credential theft, session hijacking, defacement, or further compromise of the WordPress site.

The vulnerability exists in the Recent Posts From Each Category plugin by Mindstien Technologies, affecting all releases from the first unversioned build through version 1.4 inclusive. WordPress installations that have this plugin deployed and are at or below version 1.4 are at risk.

The CVSS score of 7.1 indicates a high impact, while the EPSS score of less than 1% shows that active exploits are currently rare. The flaw is not listed in the CISA KEV catalog, implying no documented mass exploitation events yet. The likely attack vector is a target user who is authenticated as an administrator or moderator; a malicious site can craft a forged request that the user unknowingly submits, resulting in stored XSS code being inserted into the site’s database and served to other visitors. The attacker does not need elevated privileges, and the flaw can be exploited remotely from any location with network access to the WordPress instance.