A cross‑site request forgery flaw in the Alanft Relocate Upload plugin lets an attacker force a legitimate user to execute an HTTP request that injects malicious code into the site’s database. The stored XSS payload is then served to any visitor who views the affected content. This can lead to session hijacking, data theft, or further exploitation if the victim’s browser context is compromised.

WordPress sites running the Relocate Upload plugin version 0.24.1 or earlier are vulnerable. The plugin, developed by Alanft, is available for all WordPress installations that include the Relocate Upload module.

The vulnerability has a CVSS score of 7.1, indicating high severity, but its EPSS score is below 1%, implying a low probability of exploitation at present. It is not listed in the CISA KEV catalog, so no active exploitation campaigns have been reported. Based on the description, it is inferred that attackers would need to trick a logged‑in user or an administrator into visiting a crafted URL or otherwise triggering the CSRF action, which is feasible via social engineering or compromised sites. Once the malicious script is stored, it will run in the context of any site visitor, potentially granting the attacker broad access to site data and user sessions.