A high-severity Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the kasonzhao SEO For Images plugin, allowing for persistent script injection (Stored XSS) and potential site compromise.

This is a Cross-Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker can trick an authenticated administrator into clicking a malicious link, which forces their browser to submit a request to the site. This request can inject a persistent cross-site script into the application.

The vulnerability is rated High severity with a CVSS score of 7.1. A successful exploit allows an attacker to inject malicious code that executes in the browsers of all site visitors. This could be used to steal user session cookies, capture login credentials, deface the website, or redirect users to malware-hosting sites, causing significant reputational and security damage.

Immediate Action: Update the kasonzhao SEO For Images plugin to the latest patched version provided by the vendor immediately.

Proactive Monitoring: Review website files and database records for any unauthorized or suspicious scripts. Monitor administrative logs for unexpected configuration changes.

Compensating Controls: A properly configured Web Application Firewall (WAF) with rulesets for blocking CSRF and XSS attacks can serve as an effective compensating control.

Public Exploit Available: false

The ability for an attacker to achieve persistent script execution via CSRF is a critical threat to website security. Given the High severity rating, patching this vulnerability is paramount. Administrators must update the affected plugin without delay to prevent potential compromise.