A high-severity Cross-Site Request Forgery (CSRF) vulnerability in the cuckoohello 百度分享按钮 plugin enables Stored XSS, allowing an attacker to inject malicious scripts into the website.

The plugin is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated attacker can create a malicious web page or link that forces an authenticated administrator's browser to submit a request. This request can be used to inject a persistent malicious script (Stored XSS) into the site.

This vulnerability is rated as High severity with a CVSS score of 7.1. An attacker could exploit this to execute arbitrary scripts in the browsers of all website visitors, leading to session hijacking, credential theft, defacement, or redirection to malicious sites. This poses a direct threat to user security and the integrity of the website.

Immediate Action: Update the cuckoohello 百度分享按钮 plugin to the latest patched version provided by the vendor immediately.

Proactive Monitoring: Scan website pages and database entries for suspicious script tags or unexpected content. Monitor for administrative actions that were not intentionally performed.

Compensating Controls: Implement a Web Application Firewall (WAF) with robust rules against CSRF and XSS attacks to provide a layer of defense if immediate patching is not possible.

Public Exploit Available: false

The combination of CSRF and Stored XSS presents a clear and significant danger to the affected website. The High severity rating necessitates immediate action. Administrators must prioritize updating the plugin to the patched version to prevent potential compromise.