The vulnerability is a classic Cross‑Site Request Forgery (CWE‑352) that allows an attacker to trigger the installation of any WordPress plugin on a site where the attacker can submit a crafted request. By exploiting this flaw, malicious code can be introduced to the WordPress installation with the same privileges as the account used to perform the installation, potentially enabling remote code execution or persistence. The plugin fully controlled by the attacker can contain any payload or backdoor, effectively compromising the entire site.

The issue affects the FancyWP Starter Templates plugin by FancyWP, versions up to and including 2.0.0. Administrators and users with plugin‑installation rights who have not upgraded to a version newer than 2.0.0 are at risk.

The CVSS score of 9.6 marks this flaw as critical, and its EPSS score of less than 1% indicates that while exploitation probability is currently low, this does not eliminate risk. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is a CSRF attack where a victim user, who is authenticated and has sufficient privileges, is induced to visit a specially crafted URL or submit a hidden form. Once the request is processed, an arbitrary plugin is installed automatically, giving the attacker code execution capabilities.