WordPress OneStore Sites plugin versions up to 0.1.1 allow an attacker to perform cross‑site request forgery that results in the installation of any plugin of the attacker’s choosing. This flaw is a classic CSRF (CWE‑352) that removes normal safeguards before a plugin installation request is processed, potentially giving the attacker the ability to introduce malicious code with the privileges of the target account.

Any WordPress site running sainwp OneStore Sites plugin version 0.1.1 or earlier is affected. The vendor is sainwp, and the product name is "OneStore Sites". No specific WordPress core version is required, but the vulnerability assumes the site allows external requests to invoke plugin installation actions.

The CVSS score of 9.6 indicates a very high impact attack that could lead to full compromise of the affected site. The EPSS score of <1% suggests that, in the general observed exploitation landscape, this vulnerability is not frequently targeted; however the lack of a KEV listing does not diminish the risk if an attacker gains access to an authenticated admin session. Attackers would need to embed a forged request in a page or link that an administrator views while logged in, or trick the admin into clicking a malicious URL. Once the request is processed, the plugin is installed and any code it contains will run with the same privileges as the installing user. The combination of a high severity rating and potential for persistence makes this flaw particularly dangerous for vulnerable installations.