The Anomify AI plugin for WordPress suffers from a CSRF vulnerability due to the absence of nonce verification on its settings page handler and insufficient escaping in the admin_options.php template. The settings form lacks wp_nonce_field() and the handler does not perform check_admin_referer(), enabling cross-origin POST requests to modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which does not encode double-quote characters, and the value is output without esc_attr(), allowing a double-quote attribute escape payload to persist. This enables unauthenticated attackers to inject stored XSS payloads by tricking logged-in administrators into visiting malicious pages that submit forged requests, causing script execution in the admin context.

This vulnerability allows an unauthenticated attacker to perform CSRF attacks that store malicious scripts in the plugin settings. When an administrator visits the plugin settings page, the stored XSS payload executes in their browser, potentially leading to unauthorized actions within the admin interface. The CVSS score is 4.3 (medium severity), indicating limited impact primarily related to integrity via script injection without direct confidentiality or availability loss.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid visiting untrusted sites while logged into WordPress and consider disabling or removing the affected plugin version. Monitoring vendor channels for an official fix is recommended.