The NetInsight Analytics Implementation Plugin for WordPress includes a Cross‑Site Request Forgery flaw that allows an attacker to craft a request that forces the plugin to store malicious JavaScript payloads in the WordPress database. Once stored, the script runs in the browsers of any visitor to the site, leading to a Stored Cross‑Site Scripting vulnerability. The weakness is identified as CWE‑352. The impact is the potential compromise of confidential data or session hijacking for users that view the affected pages.

lisensee’s NetInsight Analytics Implementation Plugin, versions from the earliest available release through 1.0.3, is affected. The vulnerability is present in all releases up to and including 1.0.3 and has no sub‑versions listed.

The CVSS base score of 7.1 indicates a moderate to high severity, but the EPSS score of less than 1% suggests a very low likelihood of exploitation. The flaw requires a logged‑in administrator to be tricked into making a forged request, and the stored XSS payload is only active if the site's content rendering allows it. The vulnerability is not currently listed in the CISA KEV catalog, implying no known active exploitation. An attacker would need to entice a privileged user to visit a malicious URL or embed a link that performs the CSRF action.