The shmish111 WP Admin Theme up to version 1.0 contains a CSRF vulnerability that enables stored XSS attacks. This means an attacker could trick an authenticated user into submitting a crafted request that results in malicious script being stored and executed in the context of the victim's browser. The vulnerability has a CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation could allow an attacker to execute stored cross-site scripting attacks via CSRF, potentially leading to session hijacking, defacement, or other malicious actions within the context of the affected WordPress admin theme. The impact is rated as high severity due to the combination of CSRF and stored XSS, which can compromise user sessions and site integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's communications for updates. In the meantime, applying general CSRF protections such as verifying nonces and limiting user privileges may reduce risk but are not guaranteed to fully mitigate this specific vulnerability.