The vulnerability in the Dynamic URL SEO plugin permits a malicious actor to exploit Cross‑Site Request Forgery (CWE‑352). By tricking an authenticated WordPress user into submitting a crafted request, an attacker can alter the plugin’s settings or perform other unauthorized changes that affect site search‑engine optimization. While this does not lead to remote code execution, it does enable the compromise of the site’s SEO configuration, potentially reducing organic traffic or misdirecting visitors. The plugin’s severity score of 5.4 reflects this moderate impact on integrity and availability of the site’s SEO functionality. It is inferred that the specific unauthorized changes involve plugin settings, as the CVE text only indicates a CSRF flaw without detailing the exact actions, so this conclusion is drawn from typical impacts of similar weaknesses.

The issue affects the WordPress plugin titled Dynamic URL SEO by the vendor brainvireinfo, specifically all releases from the earliest version up to and including 1.0. No other product or version information is available.

The CVSS score of 5.4 indicates a moderate severity weakness, and the EPSS score of less than 1% suggests a very low probability of widespread exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to obtain a victim user’s authenticated session and convince them to visit a crafted URL, which is the typical CSRF attack vector. The statement that exploitation requires an authenticated session is inferred from the description, which mentions a CSRF flaw that generally implies a logged‑in user’s context.