This vulnerability involves a CSRF flaw in the Eli EZ SQL Reports Shortcode Widget and DB Backup plugin (versions ≤ 5.25.08) that enables an attacker to inject stored XSS payloads. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability. The vulnerability could allow an attacker to trick an authenticated user into executing unwanted actions that result in stored malicious scripts within the application context.

Successful exploitation can lead to stored XSS, which may allow attackers to execute arbitrary scripts in the context of affected users, potentially leading to data theft, session hijacking, or other malicious activities. The vulnerability affects confidentiality, integrity, and availability at a low level. There are no reports of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or limiting use of the affected plugin features and implement CSRF protections where possible. Monitor vendor channels for updates and apply patches promptly once available.