The quanganhdo Custom Smilies plugin versions up to 1.2 contain a CSRF vulnerability that enables stored XSS attacks. An attacker can exploit this flaw by tricking an authenticated user into submitting a crafted request, which results in malicious script storage and execution within the application context. This vulnerability affects the confidentiality, integrity, and availability of the affected system, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). No official patch or vendor advisory has been provided to date.

Successful exploitation of this vulnerability can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the affected application. This can compromise user data confidentiality, alter application data integrity, and potentially disrupt availability. The vulnerability requires user interaction but no privileges, and it can be exploited remotely over the network.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting the use of the Custom Smilies plugin to mitigate risk. Implementing standard CSRF protections and input validation may reduce exposure but are not confirmed as complete mitigations for this issue.