The WP jQuery Persian Datepicker plugin by bhzad, up to version 0.1.0, contains a CSRF vulnerability that enables Stored XSS attacks. An attacker can exploit this by tricking an authenticated user into submitting a crafted request, leading to malicious script storage and execution within the affected application context. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low impact on confidentiality, integrity, and availability.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the affected site. This can compromise user sessions, deface content, or perform actions on behalf of the user. The CSRF aspect means that attackers can induce authenticated users to unknowingly perform these malicious actions. There is no indication of known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the vulnerable plugin or restricting its use to trusted environments. Monitor vendor channels for updates and apply patches promptly once available.