The flaw is a CSRF vulnerability in the Casengo Live Chat Support WordPress plugin that lets an attacker submit a crafted request to the plugin’s endpoint. The request causes the plugin to store malicious JavaScript, which is later executed when any user loads the website. The primary impact is the ability to inject and persist client‑side code that runs in visitors’ browsers. This can lead to defacement, disclosure of sensitive information, or unintended actions performed in the context of the logged‑in site owner. The weakness is classified as CWE‑352. The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% implies that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is an attacker hosting a malicious form or link that triggers an authenticated request against the plugin from a target site, causing the malicious script to be stored without further interaction from the site administrator.

Caused vulnerabilities affect the Casengo Live Chat Support WordPress plugin in versions 2.1.4 and older, as specified by the CNA. The plugin is identified as Casengo:Casengo Live Chat Support; newer versions are not affected.

With a CVSS score of 7.1, the vulnerability is considered high severity, but the EPSS score of < 1% suggests that real‑world exploitation is currently uncommon. The attack is feasible only against installations running the vulnerable plugin and relying on user authentication that permits state‑changing requests to be sent without proper CSRF protection.