The plugin contains a Cross‑Site Request Forgery flaw that enables an attacker to submit data that is stored in the database as malicious JavaScript. When any user loads a page that displays this stored data, the injected script runs in the victim’s browser. The consequences can include theft of session cookies, defacement of pages, unauthorized actions performed on behalf of the user, or the delivery of further malware. This flaw is identified by CWE‑352 and is expressed in the official description as a stored XSS capability.

All installations of the Subhash Kumar Database to Excel WordPress plugin up to and including version 1.0 are vulnerable. The vulnerability applies to the plugin regardless of any other WordPress configuration, and affects any WordPress site that has the plugin enabled.

With a CVSS score of 7.1 the vulnerability is considered high severity. The EPSS score of less than 1% suggests that, at present, exploitation is unlikely but not impossible. The flaw is not listed in the CISA KEV catalog, so there is no known mass‑exploitation report. Based on typical CSRF behavior, it is inferred that successful exploitation would require delivery of a crafted request to the plugin’s endpoint, likely by persuading a legitimate user to click a malicious link or embedding attacker‑controlled data into the site. It is inferred that once the stored script is activated, the attacker would be able to act with the privileges of the unsuspecting user who visits the affected page.