The vulnerability is a Cross‑Site Request Forgery flaw caused by missing or incorrect nonce validation in the foxtool_login_google() function of the Foxtool All‑in‑One plugin. An attacker can target a site administrator with a crafted link and, if the admin clicks it, the site will establish an OAuth Connection to Google under the admin’s account. The consequence is that the attacker gains the ability to use or abuse the administrator’s authorized OAuth tokens, potentially exposing sensitive data or allowing further privileged actions. The weakness is classified as CWE‑352. The CVSS score of 4.3 indicates a low overall severity, and the EPSS score of less than 1% suggests that the exploit is infrequently seen in the wild.

The issue affects the Foxtool All‑in‑One: Contact chat button, Custom login, Media optimize images plugin released by foxtheme. All plugin versions up to and including 2.5.2 are vulnerable.

The risk is primarily that an attacker can coerce a legitimate administrator into authorizing an unintended Google OAuth connection. Because the flaw requires an admin to click a malicious link, the attack vector is manual phishing or social engineering. The low CVSS score (4.3) and EPSS lower than 1% indicate limited exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. However, once triggered, the impact can enable the attacker to gain privileged access via the OAuth channel, potentially compromising other services linked to the administrator’s Google account.