A Cross Site Request Forgery vulnerability exists in the Just Variables plugin for WordPress. An attacker can construct a forged HTTP request that is processed by the plugin without proper verification of the user’s intent. This flaw allows attackers to perform state‑changing actions on the site using the privileges of an authenticated user, potentially altering settings, uploading content, or modifying data that the plugin manages. The impact is the unauthorized execution of user‑restricted operations, compromising the integrity of the site’s configuration and content.

The vulnerability affects installations of the Just Variables plugin from Alex Prokopenko / JustCoded, specifically all versions up to and including 1.2.3. Sites running WordPress with this plugin enabled, regardless of the role of the logged‑in user, are susceptible.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker hosting a malicious page or sending a crafted link that causes a logged‑in administrator or other authenticated user to send a forged request to the plugin’s endpoints, exploiting the missing CSRF token verification.