The wpNamedUsers plugin (version 0.5 and earlier) contains a CSRF vulnerability that enables stored XSS attacks. An attacker can trick an authenticated user into submitting a crafted request, which leads to malicious script storage and subsequent execution in the context of the affected site. This vulnerability has a CVSS 3.1 base score of 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the victim's browser. This can result in data theft, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability of the affected system. The vulnerability requires user interaction and can be triggered remotely without privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the wpNamedUsers plugin or restricting its use to trusted users only. Monitor vendor channels for updates and apply patches promptly once available.