The ShrinkTheWeb (STW) Website Previews plugin suffers a CSRF flaw that permits an attacker to inject arbitrary JavaScript code into the site's storage layer. When a victim loads a crafted request, the plugin stores the malicious payload, resulting in a stored XSS condition that is later executed whenever a user views stored content. This enables an attacker to deface the site, steal credentials, or perform other malicious actions in the context of legitimate visitors.

All WordPress installations that run the ShrinkTheWeb (STW) Website Previews plugin from puravida1976 up to and including version 2.8.5 are affected. No specific WordPress core version is mentioned; the vulnerability applies to any instance where the plugin’s vulnerable code is present.

The CVSS score of 7.1 signals a high severity, and the EPSS score is reported as < 1%, indicating that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, so no confirmed active exploits are known. The attack vector appears to be CSRF, requiring a victim to trigger a constructed request that the plugin processes without proper authentication or nonce validation. If successfully exploited, the attacker can store malicious scripts that affect all users who subsequently view the stored content. The combination of high severity and even a low exploitation probability warrants immediate remediation.