Cross‑Site Request Forgery in the WordPress CloudSearch plugin can be exploited to store malicious JavaScript that is later executed in the context of legitimate site visitors, leading to potential hijacking of sessions, theft of credentials, or defacement of the web application. The vulnerability arises because the plugin accepts forged state‑changing requests without proper CSRF protection, enabling an attacker to inject payloads that the site will render and persist. The weakness is classified as CWE‑352.

All installations of the Andrea Landonio CloudSearch WordPress plugin up to and including version 3.0.0 are affected; this includes any site running the plugin at versions n/a through 3.0.0. Users of newer releases are not impacted.

The CVSS score of 7.1 indicates a high severity potential. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors require an attacker to position a forged request – for example, by hosting a malicious page that submits a form or AJAX call to the vulnerable plugin endpoint – in order to persist the XSS payload in the site. Successful exploitation would give the attacker stored code that runs in the browsers of all authenticated and unauthenticated site visitors, enabling a range of downstream attacks.