The Mass Custom Fields Manager WordPress plugin contains a cross‑site request forgery flaw that allows an attacker to craft a request that a logged‑in administrator or author will submit, injecting a reflected cross‑site scripting payload into the resulting page. This gives the attacker the ability to execute arbitrary client‑side code in the victim’s browser, potentially compromising credentials, session tokens, and enabling further malicious actions. The weakness is identified as CWE‑352. Based on the description, it is inferred that the attacker can trigger this behavior by sending a malicious link to a privileged user.

The vendor is Oren Yomtov, offering the Mass Custom Fields Manager plugin for WordPress. All releases from the earliest available version up to and including 1.5 are affected. WordPress sites that have installed any of these plugin versions face the risk of exploitation.

The CVSS score of 7.1 indicates a moderate‑to‑high severity of the vulnerability, while the EPSS score of less than 1% reflects a very low current probability of exploitation. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can remotely trigger the reflected XSS by enticing a logged‑in administrator or other privileged user to load a crafted URL, causing the browser to submit the forged request.