This vulnerability involves a CSRF flaw in the WordPress Buffer – HYPESocial plugin by Dejan Markovic, which enables attackers to trick authenticated users into executing unwanted actions. The plugin versions up to 2020.1.0 are affected. The issue also involves reflected XSS, which may be leveraged in conjunction with CSRF to increase impact. The CVSS 3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. There is no vendor advisory or patch information available, and the product is not a cloud service.

Successful exploitation could allow attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to partial disclosure of information, modification of data, and disruption of service. The combined CSRF and reflected XSS issues increase the risk of session hijacking or other client-side attacks. However, no known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the affected plugin version to mitigate risk. Applying standard CSRF protections or using security plugins that provide CSRF mitigation may reduce exposure. Monitor for vendor updates regarding patches or official fixes.