Cross‑Site Request Forgery in the Jac ques Malgrange Rencontre WordPress plugin allows a malicious actor to force an authenticated user to submit requests that are not protected by a CSRF token. The vulnerability can be exploited to store malicious JavaScript code in the database, resulting in Stored Cross‑Site Scripting. This flaw is classified as CWE‑352 and can enable attackers to hijack sessions, deface content, or execute further malicious actions on the affected site.

The vulnerability affects versions of the Rencontre plugin for WordPress released by Jacques Malgrange, from the earliest available versions through 3.13.7. Any instance of this plugin deployed on a WordPress site within that version range is susceptible.

The CVSS score of 7.1 places this issue in the high‑severity category, yet the EPSS score of less than 1% indicates a low probability of exploitation at this time. It is not listed in the CISA KEV catalogue. Exploitation would likely require an attacker to entice a logged‑in user—such as an administrator—to visit a crafted page or click a malicious link that triggers the vulnerable request. The lack of a CSRF token means that the attack can succeed even against users who are not actively interacting with the site, but still relies on them being authenticated and on the target site not employing additional protective measures such as environment‑level CSRF defenses.