The Venugopal 'Show notice or message on admin area' plugin versions up to 2.0 contain a CSRF vulnerability that enables stored XSS attacks. This occurs because the plugin does not adequately verify the origin of requests to the admin area, allowing attackers to trick authenticated users into executing malicious requests. The vulnerability has a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to stored XSS in the admin area, potentially allowing attackers to execute arbitrary scripts in the context of an administrator's browser session. This can result in unauthorized actions, data manipulation, or session hijacking. The vulnerability affects confidentiality, integrity, and availability to a limited extent as indicated by the CVSS vector. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider limiting access to the affected plugin, disabling it if possible, or applying any recommended temporary mitigations from the vendor. Monitoring for updates from Venugopal is advised to apply an official fix once released.