This vulnerability involves a CSRF issue in the AlphaOmega Captcha & Anti-Spam Filter plugin (version ≤ 3.3) that enables stored XSS attacks. An attacker could trick an authenticated user into submitting a forged request, resulting in malicious script storage and execution. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low impact on confidentiality, integrity, and availability.

Successful exploitation could allow an attacker to execute stored XSS via CSRF, potentially leading to session hijacking, defacement, or other client-side attacks within the context of the affected application. The vulnerability affects confidentiality, integrity, and availability to a low degree but has a scope change, meaning it can affect components beyond the vulnerable plugin itself.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or limiting the use of the affected plugin to reduce exposure. Implementing standard CSRF protections and input sanitization may help mitigate risk but are not confirmed as effective for this specific vulnerability.