The vulnerability is a Cross‑Site Request Forgery flaw in the Martins Free Monetized Ad Exchange Network WordPress plugin that enables an attacker to inject reflected cross‑site scripting code. When an authenticated user or passive visitor follows a specially crafted request, the plugin reflects unsanitized input back to the browser, allowing execution of arbitrary JavaScript in the victim’s context, which can lead to defacement, credential theft, or further infection. The weakness is identified as CWE‑352.

The affected product is the Martins Free Monetized Ad Exchange Network plugin distributed by bundgaard, version 1.0.6 and any earlier releases. WordPress sites that have this plugin installed and have not upgraded beyond 1.0.6 are vulnerable.

The CVSS base score of 7.1 denotes a high impact, while the EPSS score of less than 1% indicates a very low probability of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely perpetrate the CSRF by embedding the malicious link in a website or email that a privileged user might unknowingly visit, or by leveraging another site that hosts the plugin. Successful exploitation would result in client‑side script execution, potentially compromising user sessions or defacing the site. Current mitigation is to apply the vendor patch or otherwise block the vulnerable endpoint.