A Cross‑Site Request Forgery flaw exists in the WordPress Popping Sidebars and Widgets Light plugin that permits attackers to inject reflected cross‑site scripting content. The vulnerability can be triggered by an unauthenticated or authenticated user who submits a crafted request, leading to the execution of arbitrary JavaScript in the victim’s browser. If the injected code runs with the privileges of the authenticated user, it can hijack sessions, steal credentials, or perform further malicious actions within the WordPress site.

The flaw affects all installations of OTWthemes Popping Sidebars and Widgets Light up through version 1.27. WordPress sites that have this plugin enabled are vulnerable; newer releases beyond 1.27 are not impacted.

The CVSS score of 7.1 indicates a high‑severity weakness. The EPSS value of less than 1% suggests a very low probability of exploitation in the general landscape, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the combination of CSRF and reflected XSS can be leveraged remotely, making the issue potentially impactful if an attacker can convince a user to click a malicious link or visit a compromised site. The attack vector is inferred to be a remote, unauthenticated request that triggers the vulnerable plugin’s state change, allowing the reflected script to execute in the victim’s context.