The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to trick a logged‑in user into submitting unintended requests to the WordPress site. The flaw resides in the F12‑Profiler plugin, which fails to verify a CSRF token on certain actions. An attacker who convinces a site administrator or other privileged user to visit a crafted URL can cause the user to perform state‑changing operations without their knowledge. This can lead to unauthorized changes in the site configuration, content, or plugin data, representing a moderate threat to confidentiality and integrity within the affected system.

Forge12 Interactive GmbH provides the F12‑Profiler plugin for WordPress. The vulnerability affects all releases from the initial release through version 1.3.9. Users running WordPress with any of these plugin versions are at risk.

The CVSS score of 5.4 indicates an average severity. The EPSS score of less than 1 % shows that the likelihood of exploitation is low, and the issue is not listed in the CISA KEV catalog. The common attack vector is a user‑initiated request—an attacker can send the crafted URL to an authenticated user via email or embedded link. The flaw is exploitable only when an authenticated user with sufficient privileges visits a malicious page; it does not provide remote code execution or direct access to the server environment. The exploit would rely on the user’s existing session cookie. Because of the low exploitation probability and the availability of an upgrade path, the overall risk is moderate.