The WP-ISPConfig 3 plugin by ole1986 suffers from a CSRF vulnerability that enables attackers to execute stored XSS attacks. This affects all versions up to 1.5.6. The vulnerability allows an attacker to trick an authenticated user into submitting a forged request, which can then store malicious scripts in the application. The CVSS 3.1 score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the victim's browser. This can result in data theft, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability of the affected system. The vulnerability requires user interaction but no privileges, and can be exploited remotely over the network.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling or restricting access to the WP-ISPConfig 3 plugin to trusted users only and avoid interacting with untrusted links or sites that could trigger CSRF attacks. Monitor official vendor channels for updates and apply patches promptly once released.