A cross‑site request forgery flaw in the merzedes Custom Style WordPress plugin allows an attacker to submit a forged request that injects malicious HTML or JavaScript into the plugin’s stored styling data. Because the payload is stored, it is rendered on every page that loads the style, enabling the attacker to run arbitrary script in visitors’ browsers, potentially leading to cookie theft, session hijacking, site defacement, or other malicious actions.

All WordPress sites running the Custom Style plugin version 1.0 or earlier are affected. The plugin is distributed by the vendor merzedes and the vulnerability exists from its first release through, and including, version 1.0.

The CVSS base score of 7.1 classifies the flaw as high severity, while the EPSS score of less than 1% indicates a very low probability of exploitation at present. The issue is not listed in the CISA KEV catalog, suggesting no known public exploits. The attack requires an authenticated user with permission to modify plugin styles, which limits the attack surface to privileged users but still permits an attacker who can coerce or compromise such a session to permanently embed malicious code for all site visitors.