A Cross‑Site Request Forgery flaw exists in the Simple Optimizer plugin up to version 1.2.7. The weakness allows an attacker to trick an authenticated user into submitting a forged request that executes plugin functions on the victim’s behalf, potentially changing settings, disabling the plugin, or performing other privileged operations. The vulnerability is tagged with CWE‑352, indicating it is a lack of proper CSRF protection.

This issue affects WordPress sites that have the Simple Optimizer plugin from Chris Hurst installed at any version no newer than 1.2.7. The plugin is a third‑party add‑on that adds optimization features to the WordPress core. No additional product or vendor information is listed beyond the plugin itself.

The CVSS score of 4.3 places the flaw in the medium severity range, while the EPSS score of <1% suggests a low probability of exploitation at present. The flaw is not listed in CISA’s KEV catalog. Exploitation would require an attacker to lure a logged‑in administrator or user to a crafted link or form that submits a request carrying the vulnerable plugin’s parameters. Since the flaw is limited to CSRF, it does not provide remote code execution but can lead to unauthorized configuration changes or service disruption.