A cross‑site request forgery flaw in the AF Tell a Friend WordPress plugin permits an attacker to forge a request that causes the plugin to store an arbitrary script payload. Once the payload is stored, any subsequent user who views the affected page will have the script executed in their browser, allowing the attacker to hijack sessions, steal cookies, deface content, or propagate malware. The vulnerability is rooted in CWE‑352, a classic CSRF weakness that leads to stored XSS when combined with template or content injection bugs. The impact is primarily a compromise of confidentiality and data integrity for users who view the affected content, and the extent can reach site‑wide if the payload is placed in a globally rendered component.

The AF Tell a Friend plugin, developed by Wladyslaw Madejczyk, is affected in all releases through version 1.4. The plugin is a WordPress add‑on that allows users to share content via a “tell a friend” form. No specific WordPress core version constraint is listed, so any WordPress installation with the plugin v1.4 or older is vulnerable.

The CVSS score of 7.1 indicates a medium‑to‑high severity, while the EPSS of less than 1 % suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying no known mass exploitation events have been reported. An attacker can exploit the flaw by sending a crafted link or form to a logged‑in administrator or other privileged user, taking advantage of the missing CSRF token. Successful exploitation requires the victim to follow the link and the plugin to accept the request and persist the malicious script. If the attacker controls a user’s browser session or leverages social engineering, the stored XSS can be activated across the site. The absence of a KEV listing reduces urgency, but the CVSS rating warrants timely remediation.