The WP User Stylesheet Switcher plugin by vgstef, up to version 2.2.0, contains a CSRF vulnerability that enables stored XSS attacks. This occurs because the plugin does not properly validate requests, allowing attackers to trick authenticated users into submitting malicious requests that result in persistent script injection. The CVSS 3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability could allow an attacker to execute stored cross-site scripting attacks via CSRF, potentially leading to unauthorized actions performed in the context of an authenticated user. This could compromise user data confidentiality, integrity, and availability of the affected WordPress site. However, no known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the WP User Stylesheet Switcher plugin if it is not essential. Additionally, applying general CSRF mitigations such as enforcing anti-CSRF tokens and limiting user permissions may reduce risk.