The WP-Planification plugin for WordPress, developed by Mathieu Chartier, contains a CSRF vulnerability that enables stored XSS attacks. This affects all versions up to 2.3.1. The vulnerability allows an attacker to trick an authenticated user into submitting a forged request, which results in malicious script injection stored on the site. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation could allow an attacker to execute stored XSS attacks via CSRF, potentially leading to session hijacking, defacement, or other malicious actions within the context of the affected WordPress site. The impact is rated as high severity due to the combination of CSRF and stored XSS, but no known active exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the WP-Planification plugin if possible, or apply any recommended temporary mitigations from the vendor. Monitoring official Mathieu Chartier or WP-Planification channels for updates is advised.