A high-severity Cross-Site Request Forgery (CSRF) vulnerability in OffClicks Invisible Optin allows for Stored XSS, creating a significant risk of website and user account compromise.

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker can craft a malicious request that, if processed by an authenticated administrator's browser, leads to the injection of a persistent cross-site script (Stored XSS) into the web application.

With a CVSS score of 7.1, this vulnerability is rated as High severity. A successful exploit enables an attacker to execute malicious scripts on the browsers of site visitors. This could lead to the theft of session tokens, compromise of user accounts, website defacement, or the distribution of malware, severely impacting the site's security and reputation.

Immediate Action: Immediately update the OffClicks Invisible Optin plugin to the latest version that contains a patch for this vulnerability.

Proactive Monitoring: Regularly check website content for any unauthorized scripts or modifications. Review administrative logs to ensure all actions were legitimate.

Compensating Controls: A Web Application Firewall (WAF) with comprehensive rules for blocking CSRF and XSS attacks can act as an effective virtual patch if an immediate update is not possible.

Public Exploit Available: false

This CSRF-to-Stored-XSS vulnerability is a critical security flaw that must be addressed urgently. The High severity rating reflects the potential for complete site compromise. Administrators are strongly advised to apply the vendor's update immediately to mitigate this threat.