The vulnerability is a classic CSRF flaw that permits an attacker to trigger privileged actions on behalf of an authenticated WordPress user without the user's knowledge. The weakness lies in improper verification of the request origin, a known issue categorized by CWE‑352. While the impact is limited to the scope of the authenticated user's permissions, it could be used by a remote attacker to change site settings, update content, or otherwise compromise the integrity of the site if the attacker can coerce the target into visiting a malicious page.

The flaw affects the WordPress REST API TO MiniProgram plugin developed by xjb, for all releases up to and including version 5.1.2. Users running those versions of the plugin are potentially exposed and should be considered impacted.

The CVSS score of 4.3 places this flaw in the low–moderate severity range, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a malicious website that tricks an authenticated visitor into submitting a forged request to the WordPress site; no special user privileges or server‑side configuration are required beyond normal user authentication.