This vulnerability in the Mass Custom Fields Manager plugin (versions up to 1.5) allows an attacker to exploit Cross-Site Request Forgery (CSRF) to trick authenticated users into executing unwanted actions. The issue is compounded by the presence of reflected XSS, which may facilitate exploitation. The CVSS v3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability rated as low to low to low respectively.

Successful exploitation could allow attackers to perform unauthorized state-changing operations within the context of an authenticated user session, potentially leading to limited disclosure of information, modification of data, and disruption of service. The reflected XSS aspect may increase the attack surface by enabling injection of malicious scripts. However, no known active exploits have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or limiting use of the affected plugin, and apply standard CSRF mitigations such as ensuring anti-CSRF tokens are implemented. Monitor vendor channels for updates and apply patches promptly once released.