The vulnerability is a CSRF flaw that allows an attacker to trick a logged‑in user into submitting a request that the Minimum Password Strength plugin processes, potentially changing settings or affect user experience. The weakness corresponds to CWE‑352 and does not directly enable arbitrary code execution, but it can lead to unauthorized changes within the WordPress site owned by the victim. Because the attack requires a user to be authenticated within the site, the impact is limited to changing the plugin’s configuration or disabling it, which could hinder password strength enforcement for subsequent users.

The plugin "Minimum Password Strength" by Will Anderson is vulnerable in all released versions up to and including 1.2.0. Any WordPress installation that has this plugin installed and in use during the affected version range is at risk. No specific WordPress core version is mentioned, so the risk applies to all WordPress sites that have the plugin installed in that version range.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score shows a very low exploitation probability (<1 %), and it is not listed in the CISA KEV catalog, suggesting that widespread exploitation is currently unlikely. The likely attack vector is a malicious website that triggers a forged form submission or a phishing email that induces a user to visit a crafted URL while still logged into the target WordPress site. The attacker would need the victim to be authenticated and unwilling to validate the request’s origin. No additional credentials or elevated privileges are required beyond normal site access.