The KaizenCoders Enable Latex WordPress plugin contains a Cross‑Site Request Forgery flaw that can be exploited to store malicious scripts on the site. An attacker who tricks an authenticated user into visiting a crafted page can have the plugin execute arbitrary JavaScript when other users view the stored content. This stored XSS can lead to session hijacking, credential theft, defacement, or the execution of additional malicious payloads. The weakness is a standard CSRF vulnerability (CWE‑352) combined with a lack of output encoding, allowing the injection of malicious code.

WordPress sites using the KaizenCoders Enable Latex plugin version 1.2.16 or earlier are affected. The vulnerability applies to all installations of the plugin from its initial release up through version 1.2.16. Administrators should check the plugin version or upgrade to a fixed release.

The CVSS score of 7.1 indicates a high impact level, while the EPSS score of less than 1 percent suggests the event is currently considered a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would likely need to entice a legitimate user to visit a malicious URL or exploit an existing authenticated session, making the attack feasible in the context of social engineering or compromised credentials. Once triggered, the stored malicious script will execute each time the affected content is displayed, providing persistent damage potential.