Cross‑Site Request Forgery in the add custom google tag manager plugin allows an attacker to bypass the normal request flow and inject JavaScript that is then stored in the site. The injected script will execute whenever page content is loaded by any visitor, which can lead to session theft, defacement or further compromise. The vulnerability stems from failure to verify the authenticity of administrative changes, creating a stored XSS vector.

The affected product is the WordPress add custom google tag manager plugin for the קידום ובניית אתרים website builder. Every release up to version 1.0.3 is vulnerable; no newer versions are listed. Administrators who have not updated the plugin remain at risk unless the plugin is disabled.

The CVSS base score is 7.1, placing the issue in the high‑severity range, while the EPSS score of less than 1% indicates a currently low likelihood of exploitation. The flaw is not yet listed in CISA KEV catalog. Exploitation requires a user with administrative privileges or an authentication session to be present, as the flaw relies on cross‑site request forgery; however, a malicious site can lure a victim into submitting a crafted request that stores the script. Once inserted, the payload runs in the context of any user visiting the affected page, providing a persistent threat. The risk is mitigated by promptly applying a patch or removing the plugin.