This vulnerability is a classic Cross‑Site Request Forgery flaw that allows an attacker to submit actions on behalf of an authenticated WordPress user who has the RAYS Grid plugin installed. The flaw does not provide direct code execution or privilege escalation, but it permits any state‑changing action that the legitimate user can perform within the plugin, potentially altering page layout, schedule or deleting content. The weakness is identified as CWE‑352. The impact is limited to the permissions of the victim user and requires that the victim be logged into the site and have the plugin active during the attack.

The vulnerability affects the WordPress plugin RAYS Grid from IT‑RAYS, versions up to and including 1.3.1. All releases from the earliest to 1.3.1 contain the flaw. Affected hosts are any WordPress installations that have the RAYS Grid plugin present and are using a version ≤1.3.1.

The CVSS score of 4.3 indicates a medium severity. The EPSS score of less than 1% suggests that exploitation events are very rare, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need the victim user to be authenticated and to visit a malicious site that issues forged requests targeting the plugin endpoints. No network‑level exploit is required, so the attack vector is largely user‑side and is influenced by user behavior. Overall risk is moderate if the plugin is widely used but the likelihood of exploitation remains low.