The Wow‑Company Button Generator – easily Button Builder plugin contains a Cross‑Site Request Forgery vulnerability (CWE‑352) that allows an attacker to force an authenticated user to perform unintended state‑changing actions within the plugin. The flaw arises from a lack of proper request validation, meaning that requests originating from untrusted sources can be accepted as legitimate. The consequence is limited to unauthorized alterations of button configurations or other plugin data, which could lead to defacement or incorrect site behavior but does not provide direct code execution.

Any WordPress site running Wow‑Company Button Generator – easily Button Builder plugin with a version of 3.1.1 or earlier is affected.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of <1% suggests that exploitation is currently considered unlikely. The vulnerability is not listed in CISA’s KEV catalog. The most plausible attack path involves a malicious webpage or electronic message that triggers a request while a targeted user is logged in; this inference is drawn from the description, which implies that an authenticated session is required to effect the change, though the specific user role needed is not explicitly stated in the data.