A high-severity vulnerability in the Google XML News Sitemap WordPress plugin allows for Stored Cross-Site Scripting (XSS) via a Cross-Site Request Forgery (CSRF) attack, potentially enabling site takeover.

This is a chained vulnerability. An attacker can first exploit a Cross-Site Request Forgery (CSRF) flaw by tricking an authenticated administrator into clicking a malicious link. This action then injects a persistent malicious script (Stored XSS) into the website's database, which will execute in the browser of any user who views the compromised page.

Rated 7.1 (High) on the CVSS scale, this vulnerability poses a serious threat. The stored XSS payload executes with the privileges of the viewing user. If another administrator views the page, the script can be used to steal their session cookies, create new admin accounts, or redirect users to malicious websites, leading to a full compromise of the site and its users.

Immediate Action: Immediately apply the latest security update for the Google XML News Sitemap plugin. If a patch is unavailable, disable and uninstall the plugin.

Proactive Monitoring: Scan the website's database and files for suspicious scripts or unauthorized content. Review audit logs for unexpected actions performed by administrative accounts.

Compensating Controls: A Web Application Firewall (WAF) may help mitigate both CSRF and XSS attacks. Training administrators to be wary of unsolicited links can also reduce the risk of the initial CSRF attack.

Public Exploit Available: false

This is a dangerous vulnerability that can unravel the security of an entire website. The ability for an attacker to inject persistent malicious scripts requires immediate action. Administrators must update or remove the vulnerable plugin without delay to protect their site and its users.