The WN Flipbox Pro WordPress plugin contains a Cross‑Site Request Forgery flaw that permits a malicious actor to craft a request that is processed by the plugin and has part of the payload reflected back to the victim’s browser. This reflected data can include arbitrary JavaScript, enabling Reflected XSS that runs in the context of the user’s session. The vulnerability is based on CWE‑352 and, if exploited, could allow an attacker to execute code in the victim browser or deface the site.

Any WordPress site that has the Yaidier WN Flipbox Pro plugin installed with a version up to and including 2.1 is vulnerable. No specific operating system or PHP version restrictions are indicated, so any typical WordPress deployment using these plugin releases may be affected.

The absolute severity of 7.1 on the CVSS V3.1 scale indicates a high impact if used by an attacker, but the EPSS score of less than 1% shows that exploitation in the wild is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, implying that there are no confirmed public exploits. Based on the description, it is inferred that the likely attack vector involves an attacker crafting a malicious link or form that forces a logged‑in user to send a forged request to the plugin, which then processes the request and echoes back the attacker’s payload, resulting in client‑side script execution.