The vulnerability is a Cross‑Site Request Forgery flaw that allows a malicious actor to trigger actions within the Comment Date and Gravatar remover plugin using the credentials of an authenticated WordPress user. The plugin would then modify or delete comment timestamps and gravatar images without the user’s knowledge, potentially corrupting the comment timeline or compromising user identity displays. The flaw does not provide direct access to the site or data beyond the actions the user is permitted to perform, but it does enable an attacker to abuse legitimate user privileges.

The affected product is the WordPress Comment Date and Gravatar remover plugin authored by Venugopal, with vulnerability present in all releases up to and including version 1.0. WordPress sites that have installed or activated this plugin and for which users have administrative or moderator access are susceptible.

The CVSS score of 4.3 indicates a moderate risk; the EPSS score of less than 1% suggests a low likelihood of exploitation at the time of publication, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to lure a logged‑in user to a crafted request that targets the plugin’s functionality, implying a network‑based attack vector. Because the flaw relies on a standard CSRF weakness, an attacker who can persuade a user to visit a malicious URL or embed a form would be able to perform the unwanted actions with the user’s privileges.