The BuddyPress Groups Extras plugin contains a CSRF flaw that enables an attacker to trigger authenticated requests on behalf of a logged‑in user. The flaw can be exploited by sending a crafted request from a malicious site or by tricking an authenticated user into visiting a specific link. As a result, an attacker could alter the plugin’s state, potentially adding or removing group members, changing group settings, or performing other privileged actions. This weakness is identified as CWE‑352.

The vulnerability affects the BuddyPress Groups Extras plugin developed by Slava Abakumov. Versions up to and including 3.6.10 are vulnerable, and any WordPress site that has this plugin installed with a version at or below 3.6.10 is at risk.

The CVSS score of 5.4 indicates a medium severity vulnerability, while the EPSS score is less than 1%, indicating a very low probability of exploitation at present. The vulnerability has not been listed in CISA KEV, suggesting no known widespread exploitation. Attackers would need to entice a logged‑in user to trigger a request to the vulnerable plugin, such as by clicking a malicious link or loading a malicious script that issues a POST request. If exploited, the attacker could perform arbitrary changes to group membership or settings on the victim’s site, but the low EPSS and lack of active exploitation in the wild mean the immediate risk to the average site is moderate, warranting timely remediation.