The silencecm Twitter Card Generator plugin versions up to 1.0.5 contain a CSRF vulnerability that enables stored XSS attacks. This occurs when an attacker tricks an authenticated user into submitting a crafted request, which is then stored and executed in the context of the application. The vulnerability has a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of affected users. This can result in information disclosure, session hijacking, or other malicious actions. The vulnerability affects confidentiality, integrity, and availability to a limited extent. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting access to the Twitter Card Generator plugin to mitigate risk. Implementing CSRF protections and input validation may reduce exposure, but these are general mitigations and may not fully address the issue without an official patch.