The WP e-Commerce Style Email plugin for WordPress, developed by Jacob Schwartz, contains a CSRF vulnerability that enables code injection attacks. This affects all versions up to 0.6.2. The vulnerability allows an attacker to trick an authenticated user into executing unauthorized actions, resulting in code injection that compromises the system's security properties. The CVSS 3.1 base score is 9.6, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and high impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to complete compromise of the affected WordPress site, including unauthorized code execution, data theft, data modification, and denial of service. The critical CVSS score reflects the potential for severe damage to the system and its data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the WP e-Commerce Style Email plugin to mitigate risk. Additionally, applying web application firewall (WAF) rules to block CSRF attempts may provide temporary protection.