This vulnerability in the Stop Registration Spam plugin by Tom Royal involves a CSRF weakness (CWE-352) that enables stored XSS attacks. An attacker can trick an authenticated user into submitting a forged request, which results in malicious script storage. The CVSS 3.1 vector indicates the attack can be performed remotely over the network without privileges, requires user interaction, and impacts confidentiality, integrity, and availability to a limited extent. The affected versions include all versions up to 1.23, but no specific version details are provided. No patch or official fix has been disclosed yet.

Successful exploitation could allow an attacker to execute stored XSS via CSRF, potentially leading to session hijacking, defacement, or other client-side attacks affecting users of the plugin. The vulnerability impacts confidentiality, integrity, and availability at a low level but is considered high severity due to the combined CSRF and stored XSS vector. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling the plugin or restricting access to trusted users only. Implementing additional CSRF protections at the application level may help mitigate risk. Monitor official Tom Royal communications for updates on patches or workarounds.