This vulnerability in Lewe ChordPress allows an attacker to exploit CSRF to inject stored XSS payloads. The affected versions are from initial releases through 4.0.1. The CVSS 3.1 vector indicates the attack can be performed remotely over the network with low complexity and without privileges, but requires user interaction. The vulnerability impacts confidentiality, integrity, and availability to a low degree. No known exploits are reported in the wild, and no patch or vendor advisory is currently available.

Successful exploitation could allow an attacker to execute stored XSS attacks via CSRF, potentially leading to unauthorized actions performed in the context of an authenticated user. This can result in partial compromise of user data confidentiality, integrity, and availability. The overall impact is rated high based on the CVSS score, but no active exploitation is known.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting use of the affected plugin version and apply standard CSRF mitigations if possible. Monitor official channels for updates from George Lewe regarding patches or workarounds.