A Cross‑Site Request Forgery vulnerability in the WordPress plugin BP Profile as Homepage allows an attacker to submit a crafted request that creates a stored cross‑site scripting payload. The stored XSS can execute arbitrary JavaScript in the context of any user who views the affected page, potentially leading to session hijacking, credential theft, or defacement of the site. The weakness is a classic CSRF that injects malicious script content. Based on the description, the primary impact is cross‑site scripting that persists in the site’s content and can be triggered by any visitor to the page where the payload is stored.

WordPress sites that have the BP Profile as Homepage plugin by Jatinder Pal Singh installed in a version up and including 1.1. The vulnerability is reported for all releases from the earliest available version through 1.1, so any site using a technically unspecified earlier release or the 1.1 release and below is affected.

The CVSS v3.1 score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely to be widely automated at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no known mass exploitation campaign. The likely attack vector is a CSRF attack: an attacker would convince an authenticated site administrator or user to load a malicious link or form that submits the malicious payload to the site, thereby storing the XSS for all visitors.