The vulnerability is a stored Cross‑Site Scripting flaw that allows an attacker to inject malicious script into web page output through the CF7 Spreadsheets plugin. The issue arises from improper input neutralization when content is generated, producing a CWE‑79 weakness. An attacker who can submit data via the plugin may be able to compromise browsers of users who view the affected page, potentially stealing session cookies, hijacking accounts, or defacing the site. The impact is on confidentiality and integrity of the end‑user’s session but does not provide direct remote code execution on the server.

This affects the CF7 Spreadsheets plugin authored by moshensky, with all releases through version 2.3.2. The plugin is commonly used in WordPress installations where form data is collected and exported to spreadsheets.

The CVSS score is 6.5, indicating moderate severity. The EPSS score is under 1%, suggesting a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a stored XSS scenario, where an attacker crafts a malicious form submission that gets stored by the plugin and later rendered in the browser of any user viewing the data. Ingesting such payloads may require the ability to submit form data through the plugin’s interface, which is typically available to authenticated users.