The CVE describes a Cross‑Site Request Forgery flaw in the WordPress plugin “To Lead For Salesforce” that allows an attacker to craft a malicious request that, when processed by the plugin, results in reflected cross‑site scripting code being sent back to the victim’s browser. This reflected XSS can be used to steal session credentials, deface the site, or inject arbitrary content, thereby compromising the confidentiality and integrity of the site’s information and user sessions.

WordPress installations that have the To Lead For Salesforce plugin by Nick Ciske installed at any version up to and including 2.7.3.9 are affected.

The CVSS score of 7.1 indicates moderate severity, and the EPSS score of less than 1 % suggests a low likelihood of exploitation. Based on the description, the likely attack vector is a remote request that an attacker can prompt a legitimate user to visit; no authentication is required for the request. The vulnerability is currently not listed in the CISA KEV catalog, but the combination of a moderate severity score and the ease of creating a crafted URL means that publicly exposed sites can be realistically targeted. The risk to affected sites stems from the fact that the reflected XSS can run in the context of a logged‑in user, potentially allowing an attacker to hijack sessions or alter content.