The ValidateCertify plugin for WordPress contains a CSRF flaw that enables an attacker to make the authenticated user perform privileged actions without the user’s consent. Because the vulnerability does not require authentication, the attacker only needs the victim to be logged into a WordPress site where the plugin is installed. If exploited, an attacker could trigger actions such as approving or rejecting certificates, or otherwise manipulating data stored by the plugin, potentially undermining the integrity of course certification workflows.

Any WordPress installation that has the ValidateCertify plugin version 1.6.1 or earlier. The affected product is named ValidateCertify and is published by Javier Revilla. No further version constraints are listed beyond the "<= 1.6.1" range; earlier undocumented releases are also vulnerable.

The CVSS score of 4.3 indicates a moderate risk level, primarily due to the lack of required authentication but also limited impact scope. The EPSS score of less than 1% suggests the likelihood of active exploitation is currently low, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is a malicious web page or email that loads a URL crafted to push the victim’s browser to send a state‑changing request to the plugin’s endpoints while the user is authenticated to the target WordPress site. In the absence of additional defensive controls, the absence of a CSRF token or nonce is the key weakness enabling the attack.