The vulnerability is a classic CSRF flaw that permits an attacker to forge privileged operations on a site that uses the WooCommerce Recargo de Equivalencia plugin. A successfully crafted request could trigger state‑changing actions without the user’s consent, potentially leading to unauthorized changes in shop settings or order handling. The weakness is classified as CWE‑352 and the CVSS score of 4.3 indicates a moderate severity that could compromise data integrity if exploited.

All installations of the josesan WooCommerce Recargo de Equivalencia plugin with versions up to and including 1.6.24 are vulnerable. The vulnerability manifests in WordPress sites where the plugin is active, regardless of underlying WordPress version. No other plugins are listed as affected.

Because the CVSS score is 4.3, the risk is moderate, though the EPSS score of <1% suggests exploitation is unlikely. The issue is not in the CISA KEV catalog, and no public exploit is known. The attack vector is likely an unauthenticated web request that leverages a user who is logged into the administrative area; an attacker might craft a link or packet that the logged user will unknowingly submit, resulting in a CSRF. The plugin upgrade effectively mitigates the flaw.