The Add to Feedly plugin contains a CSRF flaw that lets an attacker inject a persistent cross‑site scripting payload. When a logged‑in user submits a forged request, malicious JavaScript is stored in the plugin’s database and later rendered on the site, enabling arbitrary code execution in the context of any visitor’s browser. This vulnerability is classified as CWE‑352.

The Add to Feedly plugin, created by David Merinas, is affected in all releases up to and including version 1.2.11. Any WordPress site that has this plugin installed and has not upgraded beyond that version is vulnerable. The flaw resides solely in the plugin; no specific WordPress core version is required.

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1 % suggests that exploitation is not common yet. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires a legitimate user session, as the flaw is a CSRF attack; the attacker must trick an authenticated user into sending a forged request, which is then processed and stored. Once stored, the XSS payload can affect any site visitor and may compromise session cookies, personal data, or further propagate attacks. The risk is significant for sites that allow administrators to use the plugin and for users who frequently visit sites that target multiple sites with the same plugin.