A Cross‑Site Request Forgery vulnerability exists in the W3SPEEDSTER WordPress plugin, allowing an attacker to force a legitimate user to submit unwanted requests to the site. The flaw is classified as CWE-352, where the plugin fails to validate a request‑level token or nonce before processing actions. If exploited, an attacker could manipulate the plugin's features, potentially altering site settings or performing administrative actions without the user’s consent. The impact is limited to the legitimate user’s session and privileges, but it can lead to unauthorized configuration changes and content modification.

The vulnerability affects the W3SPEEDSTER plugin for WordPress versions up to 7.33. All installations running a version of the plugin with a version number 7.33 or earlier are potentially impacted, regardless of additional site configurations.

The CVSS score of 4.3 indicates a low severity level, and the EPSS score of less than 1% suggests a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploits yet. Based on the description, the likely attack vector is a client‑side trick or malicious page that sends forged requests to the site; an attacker would need to target an authenticated user who has the rights to perform the plugin’s actions. Since no remote code execution or privilege escalation is required, the attack surface is narrower than many other vulnerabilities, but any compromised or socially engineered user could be used as a vector.