The vulnerability permits an attacker to inject forged HTTP requests that the Really Simple SSL plugin blindly accepts and acts upon. Because the plugin lacks adequate anti‑CSRF safeguards, authenticated users who visit a malicious page can be tricked into submitting requests that trigger changes to the site’s configuration or content. This can expose the site to unauthorized administrative actions. The primary impact is the potential to alter site settings or data, but it does not directly compromise confidential data or allow arbitrary code execution.

Really Simple SSL plugin by Really Simple Plugins, versions up to and including 9.1.4 are affected. The vulnerability applies to any installation of the plugin within WordPress that has not been upgraded beyond 9.1.4.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires a victim who is logged into the WordPress administrator account to be induced to visit a crafted URL; the request is then forwarded to the site and processed by the plugin, allowing the attacker to execute privileged operations. No public exploit has been documented, and the exploitation path relies on user interaction.