A Cross‑Site Request Forgery vulnerability in the Evergreen Post Tweeter plugin allows an attacker to request that malicious content be stored in the plugin’s database. The stored data is then rendered in future pages viewed by site visitors, resulting in Stored Cross‑Site Scripting. This flaw enables an attacker to inject arbitrary script that executes in the context of any user who views a page that displays the content, potentially compromising the confidentiality, integrity, or availability of the affected WordPress site.

WordPress users who have installed the Evergreen Post Tweeter plugin from the vendor titopandub. Versions affected include all releases up to and including 1.8.9. No later versions are referenced in the advisory.

The vulnerability has a CVSS score of 7.1, indicating a high impact potential. The EPSS score of <1% suggests that exploitation is currently unlikely, and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to require a legitimate user session, as the CSRF flaw requires the attacker to trick an authenticated user into submitting the request. Once the malicious payload is stored, every visitor to the affected page will be exposed to the injected script. Overall risk is moderate to high if the plugin remains on a publicly accessible WordPress installation.