The vulnerability resides in the Infusionsoft Analytics WordPress plugin version 2.0 and earlier, allowing an attacker to perform Cross‑Site Request Forgery. This flaw permits a malicious actor to forge requests to the plugin, potentially leading to unauthorized configuration changes or data manipulation without the victim’s knowledge. Based on the description, it is inferred that the attacker’s ability may depend on the target user’s session, but the CVE does not explicitly state authentication as a requirement.

WordPress installations that have jordan.hatch Infusionsoft Analytics plugin installed at version 2.0 or earlier are affected. No further product or version granularity is provided beyond the stated maximum version.

The CVSS score of 5.4 indicates moderate severity while the EPSS score of less than 1% implies a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation may involve tricking a logged‑in user into visiting a crafted URL that triggers the plugin’s privileged actions, thereby bypassing intended security controls, but the CVE does not explicitly state that authentication is required.