The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to trigger malicious requests on behalf of a logged‑in WordPress administrator or privileged user. When the All‑In‑One Cufon plugin processes an unauthenticated request, it does not validate that the request originates from an intended source, which can cause unintended actions such as changing settings or executing privileged operations. The flaw aligns with CWE‑352 and risks integrity and availability of the WordPress site, but does not directly expose data or permit remote code execution.

The flaw affects the WordPress All‑In‑One Cufon plugin, specifically versions from the legacy release through version 1.3.0. Administrators running these plugin versions on any WordPress installation are impacted.

With a CVSS score of 4.3 the vulnerability is of moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. However, because CSRF attacks can be launched from a harmless-looking site, the risk remains for users who remain logged in to an administrative session. The attack vector is inferred to be a malicious web page that tricks an authenticated user into navigating to a crafted URL that targets the plugin’s endpoint.