The ads.txt Guru Connect Plugin contains a CSRF flaw that permits an attacker to force an authenticated user to submit requests on the attacker’s behalf. This may lead to unintended changes to the adstxt configuration or other actions performed through the plugin’s API, thereby compromising the integrity of the site’s advertising data. The weakness is identified as CWE-352, a high‑impact flaw commonly used for privilege escalation or data tampering.

The vulnerability affects all installations of the ads.txt Guru Connect Plugin with versions 1.1.1 or earlier. The plugin is used on WordPress sites that manage advertising disclosures through the ads.txt interface.

With a CVSS score of 9.6 the flaw is considered critical; however, the EPSS score is reported as < 1%, indicating that the likelihood of exploitation at present is low. The issue is not listed in the CISA KEV catalog. Attackers would need to trick a logged‑in administrator or other privileged user into visiting a malicious link, after which the CSRF payload would be executed within the victim’s session. Because the attack relies on an existing authenticated session, the exploit is generally limited to insiders or users with elevated privileges, but it can still be leveraged remotely if a user is compromised or misled into clicking a crafted URL.