Impact
A forgery trick allows an attacker to inject arbitrary JavaScript into the plugin’s stored permalink data without authentication. Once the injected script is saved, it runs in the context of any subsequent page view by a privileged user, exposing session cookies and enabling further malicious actions. The weakness is a classic CSRF flaw (CWE‑352) that turns a simple form submission into a storage‑time XSS vector.
Affected Systems
The vulnerability affects WordPress sites running the BeRocket "Permalink Manager for WooCommerce" plugin in any release up to and including version 1.0.8.2. Any installation of these plugin versions is consequently exposed.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity. No EPSS score is available and the flaw is not listed in the CISA KEV catalog. Because it is unauthenticated CSRF, an attacker can trigger the exploit by enticing a user to visit a crafted link or by embedding the request in a trusted page. Once the script is stored, it executes automatically for privileged users, allowing session hijacking or defacement. The combination of high impact and low pre‑conditions results in a substantial risk for exposed sites.
OpenCVE Enrichment