A Cross‑Site Request Forgery vulnerability in the ThemeFarmer Ultimate Subscribe plugin allows an attacker to inject malicious script that is reflected back into user views. The defect can cause an attacker to deliver JavaScript that executes in the context of the victim’s web browser, potentially enabling session hijacking, cookie theft, or defacement of the site. The weakness is categorized as CWE‑352 – Cross‑Site Request Forgery. The nature of the flaw means that any user with edit privileges can trigger the reflective XSS by submitting a crafted request to the site.

The issue affects all installations of Ultimate Subscribe version 1.3 and earlier. This includes all WordPress sites that have the plugin enabled from the earliest release up to and including 1.3. Sites must verify their current plugin version; upgrading beyond 1.3 removes the vulnerability.

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to embed a malicious payload in a request that bypasses the plugin’s CSRF checks; the likely attack vector involves the site admin or a user with write privileges who can submit the crafted request. Because the flaw delivers a reflected payload, it allows code execution in the browsers of anyone who views the response, including unauthenticated visitors who click a crafted link from an attacker’s site.