The Moloni Contribuinte Checkout plugin versions up to 2.0.03 contain a CSRF vulnerability that enables stored XSS attacks. This occurs when an attacker tricks an authenticated user into submitting a forged request that the application processes without proper verification, leading to the injection and storage of malicious scripts. The vulnerability is network exploitable without privileges but requires user interaction. The CVSS 3.1 vector indicates low attack complexity, no privileges required, but user interaction is necessary, and the vulnerability impacts confidentiality, integrity, and availability at a low level.

Successful exploitation of this vulnerability could allow attackers to execute stored cross-site scripting attacks, potentially compromising user data, session integrity, and application availability. The CSRF nature means attackers can induce authenticated users to perform unwanted actions, which combined with stored XSS, may lead to persistent malicious script execution within the application context.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider implementing CSRF protections such as verifying anti-CSRF tokens on state-changing requests and applying input sanitization to mitigate stored XSS risks. Monitoring vendor channels for updates is recommended.