The AF Tell a Friend plugin by Wladyslaw Madejczyk contains a CSRF vulnerability that enables stored XSS attacks. This affects all versions up to 1.4. The vulnerability allows an attacker to trick an authenticated user into submitting a forged request, which results in malicious scripts being stored and executed in the context of the affected application. The CVSS 3.1 vector indicates the attack can be performed remotely over the network without privileges, requires user interaction, and impacts confidentiality, integrity, and availability to a limited extent. No patch or official remediation guidance is currently available.

Successful exploitation of this vulnerability could allow attackers to execute stored XSS payloads via CSRF, potentially leading to unauthorized actions performed on behalf of authenticated users, data disclosure, or disruption of service. The impact is rated high due to the combined effects on confidentiality, integrity, and availability, but no active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting the use of the AF Tell a Friend plugin to prevent exploitation. Implementing CSRF protections and input validation may help mitigate risk but are not confirmed as official mitigations.