The WP Nice Loader WordPress plugin by Alex Volkov contains a CSRF vulnerability that enables stored XSS attacks. This affects all versions up to and including 0.1.0.4. The vulnerability allows an attacker to trick an authenticated user into submitting a forged request, which can result in malicious scripts being stored and executed in the context of the affected site. The CVSS 3.1 base score is 7.1 (High), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, defacement, or other malicious actions. The CSRF aspect means attackers can induce authenticated users to perform unintended actions. The combined impact affects confidentiality, integrity, and availability of the affected WordPress site.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the WP Nice Loader plugin or applying any recommended temporary mitigations from the vendor. Monitor vendor channels for updates on patches or official fixes.