The vulnerability is a CSRF flaw in the WordPress JPG, PNG Compression and Optimization plugin provided by hosting.io. It permits an attacker to forge requests on behalf of a logged‑in user, potentially allowing the attacker to trigger the plugin’s image compression function or other privileged actions without the user’s knowledge. Because the flaw bypasses the usual CSRF protection, any administrative or user‑level action exposed by the plugin could be executed without proper authorization.

WordPress sites that have installed the hosting.io JPG, PNG Compression and Optimization plugin version 1.7.35 or earlier are vulnerable. Site owners using any release in the n/a through 1.7.35 range must upgrade before the flaw can be exploited.

The CVSS score of 4.3 indicates a low to moderate severity, and the EPSS score of less than 1% suggests that widespread exploitation has not been observed. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector is an attacker sending a forged request when a victim visits a specially crafted link or page while their session cookie is present. The exploitation requires no additional malicious payload; it simply sends a forged HTTP request to the plugin’s endpoint, using the victim’s authentication cookie.