The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw in the Muntasir Rahman Custom Dashboard Page plugin that allows an attacker to trick a user into making unwanted changes to the site. By exploiting this weakness, an attacker can perform actions that require authentication, such as modifying dashboard configurations or creating new content, depending on the permissions granted to the user. This issue does not provide direct code execution, but it can lead to data tampering or unauthorized configuration changes.

It affects the Custom Dashboard Page plugin version 1.0 and earlier, installed on any WordPress site that uses this plugin. The affected vendor is Muntasir Rahman, and the flaw persists across all installations of the plugin up to 1.0.

The CVSS score of 4.3 indicates a low to moderate impact with limited privileges required. The EPSS score of less than 1% suggests exploitation is rare at the moment, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely external; an attacker would need the victim to be logged into the site while visiting a malicious page that sends a forged request. Because the flaw relies on user authentication and an active plugin, the practical exploitability is constrained but still noteworthy for sites without additional CSRF defenses.