The vulnerability is a Cross‑Site Request Forgery flaw in the WordPress Simple Google Sitemap plugin. It allows an attacker to trick an authenticated administrator into executing actions the plugin performs, such as changing sitemap settings or data, because the plugin lacks a CSRF token on its state‑changing requests. This flaw falls under CWE‑352. The primary impact is that an attacker could modify site configuration, potentially disrupt search engine indexing or expose sensitive information that the plugin handles, without the victim’s knowledge.

The affected product is the ixiter Simple Google Sitemap WordPress plugin, version 1.6 and earlier. Any WordPress site running this plugin version is susceptible; the vendor and product name is Simple Google Sitemap by ixiter.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of < 1% indicates a very low likelihood of exploitation in the wild at the time of assessment, and the vulnerability is not listed in CISA KEV. The attack vector requires that the attacker coerce a logged‑in administrator or privileged user to visit a crafted URL or submit a forged request to the site, exploiting the plugin’s missing CSRF token. If the site uses default URLs or leaves the plugin’s endpoints exposed, an attacker could trigger unauthorized actions that compromise site configuration or content integrity.