The squiter Spoiler Block plugin versions up to 1.7 contain a CSRF vulnerability that enables an attacker to inject stored XSS payloads. This occurs because the plugin does not properly validate or protect against unauthorized requests, allowing attackers to trick authenticated users into executing malicious scripts. The vulnerability is remotely exploitable without privileges but requires user interaction. The CVSS vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and impacts confidentiality, integrity, and availability at a low level.

Successful exploitation of this vulnerability can lead to stored XSS attacks, which may allow attackers to execute arbitrary scripts in the context of the victim's browser. This can result in information disclosure, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability. The vulnerability is rated high severity due to the combination of CSRF enabling stored XSS.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the vulnerable plugin to prevent exploitation. Monitor vendor channels for updates and apply patches promptly once available.