Cross‑Site Request Forgery (CSRF) in Creative‑Solutions Creative Contact Form allows an attacker to store malicious scripts that will run in the browsers of users who view the content, facilitating attacks such as session hijacking or defacement. The flaw permits an attacker to inject arbitrary code that is saved with the form data and then executed when the data is displayed, a classic stored XSS scenario. The weakness is a form‑token bypass error, documented as CWE‑352.

WordPress sites running the Creative‑Solutions Creative Contact Form plugin version 1.0.0 or earlier are affected. The plugin is the sole component at risk; no other WordPress components are directly impacted by this vulnerability.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% shows that exploitation probability is currently low and it is not listed in the CISA KEV catalog. The vulnerability description states that a CSRF flaw in the Creative Contact Form plugin allows an attacker to store malicious scripts within form data, which will run when the data is displayed to users. The likely attack vector involves an attacker sending a crafted, CSRF‑bypassing request that inserts a malicious script into the form database; the impact is achieved when users view the affected content. Based on the description, it is inferred that an authenticated session is not explicitly required, although the attacker must be able to send requests to the vulnerable endpoint.