The vulnerability is a Cross‑Site Request Forgery flaw within the Brainstorm Force Starter Templates WordPress plugin, affecting all releases up to and including 4.4.9. An attacker can send a forged request from an external site that is accepted by the plugin’s administrative endpoints, allowing the attacker to perform privileged actions on behalf of a logged‑in administrator without the administrator’s explicit consent. This flaw is mapped to CWE‑352 and could compromise the confidentiality, integrity, and availability of the affected WordPress site if the attacker can successfully manipulate content, change settings, or manage templates.

Affected systems are any WordPress installations that have the Starter Templates plugin version 4.4.9 or older installed. The plugin, developed by Brainstorm Force, is widely used for website templates, and no specific vendor version range beyond 4.4.9 is listed, so all installations using these or earlier revisions are vulnerable.

The CVSS score of 4.3 indicates a medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. It is not listed in CISA’s KEV catalog. The likely attack vector is a crafted web request from a malicious domain that a site administrator or another authenticated user may unintentionally submit, triggering the plugin’s protected action. Although no direct exploitation method is described, an attacker who can lure a privileged user to make a specific request could potentially modify site content or settings.