The mangup Personal Favicon plugin versions up to 2.0 contain a CSRF vulnerability that enables attackers to execute stored XSS attacks. This occurs because the plugin does not properly verify the origin of requests, allowing malicious requests to be executed with the privileges of an authenticated user. The vulnerability is remotely exploitable without privileges but requires user interaction. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity but low impact on availability.

Successful exploitation of this vulnerability can lead to stored XSS, which may allow attackers to execute arbitrary scripts in the context of the affected user's browser. This can result in session hijacking, defacement, or other malicious actions. The vulnerability affects confidentiality, integrity, and availability to a limited extent as indicated by the CVSS vector. There are no known active exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor the vendor's communications for updates. In the meantime, consider implementing CSRF protections such as verifying request origins or using anti-CSRF tokens if possible. Avoid clicking on suspicious links or performing sensitive actions while logged into affected versions.