The Auto Post Scheduler plugin is susceptible to a CSRF flaw that omits nonce verification in the aps_options_page handler. If an attacker forces an administrator to submit a forged request, the request can change plugin settings and insert arbitrary JavaScript. The injected script is stored and later served to site visitors or admins, providing stored cross‑site scripting that can read cookies, hijack sessions, or modify page content. This weakness, classified as CWE‑79, enables attackers to compromise the confidentiality and integrity of the website without needing privileged credentials beyond a regular administrator.

Any WordPress site running Auto Post Scheduler version 1.84 or earlier, distributed by johnh10, is affected. Sites that have not applied the latest release are at risk. No data on proprietary modifications or custom builds, so the stated versions should be considered the full scope.

The CVSS base score of 6.1 places the vulnerability in the medium category. Because the exploit requires the attacker to successfully induce an admin to click a crafted link, it relies on social engineering rather than automated exploitation, which lowers the real‑world exploitation probability. EPSS data is unavailable and the flaw is not listed in the KEV catalog, suggesting it has not yet been widely abused. Nonetheless, the potential for persistent script execution means administrators should treat this as a priority issue and address promptly.