A Cross‑Site Request Forgery vulnerability in the Admin debug wordpress – enable debug plugin allows an attacker to submit forged requests that are processed as if they were made by the authenticated WordPress user. The flaw exists in all plugin versions up to and including 1.0.13, and the official CVE entry states that it enables Cross Site Request Forgery, but it does not detail the specific state changes that a victim could experience. The impact, therefore, is that a logged‑in user could be tricked into performing unintended actions through the plugin’s exposed endpoints. The vulnerability is strictly a CSRF flaw, with no direct mention of other exploit vectors in the description.

All installations of the DigitalZoomStudio “Admin debug wordpress – enable debug” plugin with versions starting from the earliest release through version 1.0.13 are affected. WordPress sites that have this plugin active and allow its debug functionality to be invoked by authenticated users are therefore exposed.

The CVSS score of 4.3 indicates a moderate severity assessment. An EPSS score of < 1 % reflects a very low probability of exploitation. The vulnerability is not recorded in the CISA KEV database. Attackers would typically exploit the flaw by delivering a malicious web page or email link that prompts an authenticated administrator to visit a URL that submits a forged request. This typically requires that the victim is logged into WordPress, so the attack relies on user interaction with a crafted request. Since the issue is a CSRF flaw, it does not demand elevated system privileges beyond those of the authenticated user.