A Cross‑Site Request Forgery flaw exists in the WP Options Editor plugin version 1.1 and earlier, permitting an attacker to perform administrative actions without the user’s consent. The vulnerability arises from the plugin’s failure to validate the origin of state‑changing requests, allowing an unauthenticated attacker to construct a forged request that takes advantage of an authenticated session. The consequence is that a legitimate user can be promoted to an administrator or modify critical plugin settings, undermining the confidentiality and integrity of the site. This weakness is classified as a CSRF issue (CWE‑352).

The affected vendor is Mike Selander, who maintains the WordPress WP Options Editor plugin. Any WordPress installation that has WP Options Editor 1.1 or earlier installed is vulnerable. Versions newer than 1.1 are not listed as affected, indicating that the flaw is not present after that release.

The vulnerability carries a CVSS score of 9.8, marking it as critical. The EPSS score is less than 1%, implying a very low exploitation probability at the moment. It is not listed in the CISA KEV catalog, so there is no known large‑scale exploitation. Because the flaw is a CSRF vector, an attacker can trigger the exploit simply by convincing a logged‑in user to visit a malicious URL or by embedding an image or form in a page the user accesses. No advanced skills are required beyond crafting the forged request, but the attacker does need an active user session to succeed.