The LatestCheckins plugin for WordPress is vulnerable to a Cross‑Site Request Forgery flaw in all versions up to and including 1. This flaw arises because the plugin fails to validate or incorrectly validates the nonce on the 'LatestCheckins' page, allowing an unauthenticated attacker to forge a request that updates plugin settings. By submitting a crafted request, an attacker can inject malicious scripts that are then stored by the plugin and executed in the browser context of site administrators or other logged‑in users. The result is a stored Cross‑Site Scripting vulnerability that compromises user sessions and can lead to account takeover, data exfiltration, or defacement.

All installations of the WordPress plugin LatestCheckins version 1.0 or earlier, released by vendor janyksteenbeek. These installations are affected regardless of configuration, as the vulnerability exists in the core plugin code before any settings changes.

The CVSS score for this vulnerability is 6.1, indicating a medium level severity. The EPSS score is below 1%, showing that the probability of widespread exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by persuading a site administrator to visit a malicious link that performs an authenticated or unauthenticated request to the plugin page. With the missing nonce check, the request will be processed and malicious scripts will be saved in the plugin's configuration, later executed when the admin accesses the page. Given the low EPSS, immediate risk is moderate, but since stored XSS can be leveraged for credential theft, the vulnerability should be considered a high business risk.