This vulnerability is a Cross‑Site Request Forgery flaw that permits an attacker to create and submit requests to the WP Fast Total Search plugin on a site where a user is already authenticated. Through this flaw, an attacker can trigger any action that the plugin exposes to a logged‑in user, potentially leading to unintended or malicious operations such as changing settings, deleting data, or otherwise compromising the integrity and availability of the site. The weakness is classified as CWE‑352, a classic CSRF issue. The impact is confined to the privileges of the authenticated user who makes the forged request.

WordPress sites that have the Epsiloncool WP Fast Total Search plugin version 1.78.258 or earlier installed are impacted. The vulnerability is specific to the plugin, not the core WordPress platform itself.

The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1%, showing a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Likely exploitation would require a user to be logged into the target site while visiting a malicious page that can send a forged request, making the attack vector browser‑based. It is not known whether publicly available exploit code exists, and the risk primarily rests on whether users continue to use the vulnerable plugin version.