The geoWP Geoportail Shortcode plugin versions up to 2.4.4 contain a CSRF vulnerability that enables stored XSS attacks. An attacker can exploit this by tricking an authenticated user into submitting a crafted request, resulting in malicious script storage and execution. The CVSS 3.1 vector indicates the vulnerability is remotely exploitable without privileges and requires user interaction, with impacts on confidentiality, integrity, and availability. No patch or official fix information is currently available, and the vulnerability is not related to a cloud service.

Successful exploitation of this vulnerability can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the affected application. This can compromise user data confidentiality, integrity, and availability. The CSRF nature means attackers can induce authenticated users to perform unintended actions, increasing risk. However, no known active exploitation has been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting the use of the Geoportail Shortcode plugin, especially in environments where untrusted users can interact with authenticated users. Monitor vendor channels for updates and apply patches promptly once available.