The WP-HideThat plugin by cconoly suffers from a CSRF vulnerability that enables stored XSS attacks in versions up to 1.2. An attacker can trick an authenticated user into submitting a crafted request, which results in malicious script storage and execution within the affected site. The vulnerability is remotely exploitable without privileges but requires user interaction. The CVSS score of 7.1 reflects the potential impact on confidentiality, integrity, and availability of the affected system. No patch or official remediation guidance is currently provided.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the affected site, potentially compromising user data, session tokens, or site integrity. The CSRF nature means attackers can induce authenticated users to perform unintended actions. The vulnerability affects confidentiality, integrity, and availability to a limited extent as per the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the WP-HideThat plugin or restricting access to trusted users only. Applying web application firewall (WAF) rules to detect and block CSRF and XSS attack patterns may provide temporary protection.