A Cross‑Site Request Forgery vulnerability in the HTACCESS IP Blocker plugin allows an attacker who can craft a forged request to the plugin’s administrative endpoints to inject malicious payloads that are stored and later executed as part of a stored XSS attack. The flaw arises because the plugin fails to validate the origin of requests that modify the IP block list, enabling an attacker to submit malicious JavaScript that will run in the browser context of any user who loads the affected pages.

The vulnerability affects the WordPress plugin HTACCESS IP Blocker created by Taraprasad Swain, specifically all released versions up to and including 1.0. Any WordPress site that has this plugin installed and has not upgraded to a later version is susceptible.

The CVSS score of 7.1 indicates a high level of severity, while an EPSS score of <1% suggests the probability of exploitation is currently low but could rise as more sites deploy the plugin. The vulnerability is not listed in CISA’s KEV catalog, so no known widespread exploitation has been documented. The likely attack vector is a web‑based exploit that requires an authenticated session or access to the plugin’s admin interface; attackers may construct a forged request to trigger the vulnerable action and inject payloads that persist in the site’s output.