Cross‑Site Request Forgery (CSRF) in the MHR‑Custom‑Anti‑Copy plugin allows a stored Cross‑Site Scripting (XSS) payload to be injected via a forged request. The attacker can craft a request that appears to originate from an authenticated user, causing the plugin to record arbitrary script content that will later be executed in the browsers of all users who view the affected page. This can lead to theft of session cookies, credential hijacking, defacement, and other malicious behavior as the stored malicious script runs with the privileges of the visiting user. The weakness is classified as CWE‑352.

WordPress plugin MHR‑Custom‑Anti‑Copy from the vendor mahadirz is affected. All released versions up to and including 2.0 are vulnerable, while any version newer than 2.0 is considered not vulnerable. Site administrators using the default installation of the plugin without upgrading should be aware of this risk.

With a CVSS score of 7.1 the vulnerability is of medium‑to‑high severity. The EPSS score of less than 1 % indicates a very low probability of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog. A likely attack vector is a malicious link or form that forces a logged‑in administrator to send a crafted request to the plugin’s endpoint, resulting in the persistence of an injected script. Because the attack requires the victim to be authenticated, the impact is limited to sites where attackers can entice token‑bearing users into executing the forged request.