This vulnerability is a Cross‑Site Request Forgery flaw that allows a malicious actor to elevate privileges on a WordPress site that has the Custom Post Type Lockdown plugin installed. By exploiting the CSRF flaw, an attacker can gain administrator‑level capabilities, potentially modifying any content, installing additional plugins, or taking complete control of the site. This directly impacts the confidentiality, integrity, and availability of the site’s data and services.

The affected product is the yonisink Custom Post Type Lockdown WordPress plugin, version 1.11 and earlier. All installations of the plugin, from the earliest available release up to and including 1.11, are vulnerable. The plugin is deployed within WordPress sites that use the custom‑post‑type‑lockdown functionality.

The CVSS score of 8.8 classifies this flaw as high severity, while the EPSS score of less than 1% indicates a low current exploitation probability. It is not listed in the CISA KEV catalog, so no known widespread exploitation activity is reported. The likely attack vector is remote via HTTP/S; the attacker merely needs to construct a forged request that a logged‑in user’s browser will execute. Because the flaw enables privilege escalation, even a low‑frequency exploitation can have catastrophic impact on the site’s security.