The vulnerability CVE-2025-49351 affects the Create Posts & Terms plugin by Valentin Agachi, specifically versions up to 1.3.1. It is a CSRF vulnerability that enables stored XSS attacks, allowing an attacker to trick an authenticated user into submitting unauthorized requests that result in persistent malicious script injection. The CVSS 3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No official patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this vulnerability can lead to stored XSS, which may allow attackers to execute arbitrary scripts in the context of the affected application, potentially compromising user data, session tokens, or enabling further attacks. The CSRF aspect means attackers can induce authenticated users to perform unintended actions without their consent. The combined impact affects confidentiality, integrity, and availability to a limited extent as per the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting access to the affected plugin to trusted users only and implement additional CSRF protections at the application or server level if possible. Monitor vendor channels for updates and apply patches promptly once available.