The Hacklog Remote Image Autosave plugin contains a Cross‑Site Request Forgery flaw that allows an attacker to coerce an authenticated user into performing unintended actions, such as triggering the plugin’s image autosave function. The weakness is categorized as CWE‑352, indicating that the plugin fails to verify that state‑changing requests originate from legitimate user activity. In practice, this could lead to unauthorized content uploads, manipulation of the user’s media library, or other side effects depending on the plugin’s configuration. The CVSS score of 4.3 suggests a moderate base severity, with no presence in the CISA KEV catalog and an EPSS score of less than 1%, implying that the risk of active exploitation is currently low.

The vulnerability affects the WordPress plugin named Hacklog Remote Image Autosave developed by HuangYe WuDeng, for all releases up to and including version 2.1.0. No specific sub‑versions are enumerated beyond "<= 2.1.0", and the vendor did not provide a list of affected minor releases.

Exploitation requires the victim to be logged into the site and to visit a crafted URL or submit a malicious form that triggers the autosave endpoint. Attackers can embed the request in a malicious page or email, banking on the fact that the plugin does not enforce a CSRF token or nonce. Given the low EPSS and absence from KEV, the likelihood of a real‑world exploitation is considered limited at present. However, the presence of the flaw makes the plugin a potential target for attackers targeting sites with the plugin enabled and users who may be receptive to social‑engineering methods.