Cross‑Site Request Forgery (CSRF) in the Vignette Ads WordPress plugin allows an attacker to inject malicious JavaScript that is stored on the site and subsequently executed for all visitors. The flaw enables stored cross‑site scripting, which can be used for phishing, credential theft, session hijacking, and other malicious actions targeting anyone who views pages rendered by the compromised plugin. The underlying weakness is a missing or misconfigured anti‑CSRF token that permits unsanctioned write operations to the database.

The vulnerability affects the topplugins Vignette Ads plugin for WordPress with all releases up to and including version 0.2. Any WordPress site that has the plugin installed in that version range is at risk, regardless of the core WordPress version. Sites that have updated beyond 0.2 are no longer impacted.

The CVSS base score of 7.1 indicates moderate to high severity, while the EPSS score of less than 1 % suggests a low expected exploitation rate at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unsanctioned state‑changing request that requires user interaction—such as clicking a malicious link sent in an email or embedded on a third‑party site—to trigger the CSRF action that stores the XSS payload. An attacker could therefore social‑engineer an administrator or other privileged user into visiting that link, after which the injected script would be executed whenever the affected plugin page loads.