A Cross‑Site Request Forgery flaw in the MadeGlobal Better Protected Pages plugin allows an attacker to force authenticated users to perform unintended actions on a WordPress site. The same weakness also permits storage of malicious script payloads that remain on the page, giving attackers a persistent vector to compromise visitors’ browsers. The root cause is the plugin’s failure to verify the origin of requests and to sanitize user‑supplied data, leading to uncontrolled input and request forgery.

WordPress installations that use the MadeGlobal Better Protected Pages plugin with a version of 1.0 or earlier are affected. No finer version details are given, so any build of the plugin before an upgrade to a newer release (if available) is considered vulnerable.

The CVSS score of 7.1 signals high severity. Because the EPSS is listed as < 1%, widespread exploitation has not been observed yet; however, the combination of CSRF and stored XSS provides attackers with multiple entry points. The vulnerability is not yet catalogued in CISA’s KEV, so there is no known active exploitation campaign. An attacker who can trick a user with valid session cookies or obtain a session cookie can trigger the flaw and introduce malicious scripts that survive future page loads, enabling privilege escalation and site defacement.