The vulnerability is a CSRF flaw in the Custom Login Logo plugin that allows an attacker to submit crafted requests to change the site’s login logo without authentication. Because the plugin lacks a CSRF token or proper request validation, an authenticated administrator could have the logo replaced or set to a malicious image, leading to brand defacement or phishing attempts. The issue is rated with a CVSS score of 4.3, indicating a moderate impact on confidentiality and integrity of the site’s appearance and user trust.

The affected software is the Hakik Zaman Custom Login Logo plugin (ideal‑wp‑login‑logo‑changer) for WordPress, version 1.1.7 and earlier. Any WordPress installation that has not upgraded past version 1.1.7 and uses this plugin is potentially vulnerable.

The exploit probability, as measured by the EPSS score, is less than 1 %, signalling a low likelihood of exploitation at present. The plugin does not employ CSRF protection, so the attack vector would typically be a malicious web page that a logged‑in site administrator visits, or a crafted link in an email. While the CVSS score is moderate, the lack of critical exploitation conditions and the low EPSS suggest that the overall risk remains moderate, yet the vulnerability is present in many installations due to the plugin’s popularity.