The Video Blogster Lite plugin contains a CSRF flaw that allows an attacker to submit a crafted request on behalf of an authenticated WordPress user. This flaw can be leveraged to inject persistent JavaScript into posts or comments, resulting in stored cross-site scripting. Attackers can use the injected code to steal user cookies, hijack sessions, deface content, or execute arbitrary commands in the context of the blog. Although the vulnerability does not directly grant code execution, the stored XSS capability provides a broad attack surface against site visitors.

Affected systems are WordPress sites running the johnh10 Video Blogster Lite plugin, version 1.2 or earlier. All installations of the plugin prior to 1.3 are vulnerable. The issue is reported for all unpatched versions up through <=1.2.

The CVSS score of 7.1 indicates a high impact, while the EPSS score of <1% suggests that exploitation attempts are rare to date. The vulnerability is not listed in CISA KEV, so no confirmed active exploitation is known. Because the flaw relies on a CSRF attack vector, an attacker would need to convince a legitimate user to visit a malicious site or click a link that performs the unauthorized action. Once triggered, the stored XSS payload can affect all visitors to the compromised page. Security teams should consider the attack vector as remote, yet the potential damage to site integrity and user trust warrants prompt action.