The vulnerability is a CWE‑352 Cross‑Site Request Forgery flaw that enables attackers to submit state‑changing requests against the wpShopGermany IT‑RECHT KANZLEI plugin, treating them as if they originated from an authenticated user. Although the description does not detail the exact actions that can be performed, the presence of a CSRF vulnerability generally means that an attacker could alter plugin data or configurations, potentially affecting the integrity and availability of the WordPress site.

The flaw exists in the WordPress wpShopGermany IT‑RECHT KANZLEI plugin provided by maennchen1.de. Any WordPress installation running plugin version 2.0 or earlier is vulnerable; all releases from the plugin’s initial release through 2.0 are impacted. Versions newer than 2.0 are not affected.

The CVSS score of 4.3 places the issue in the medium severity range, while the EPSS score of fewer than 1 % indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no known active exploit is documented. Exploitation would require a victim browsing the site while authenticated; a crafted request could be delivered via a malicious link or form from a third‑party domain. Even though active exploits are scarce, the risk remains, especially for high‑value e‑commerce or data‑sensitive sites.