The vulnerability is a classic cross-site request forgery flaw that allows an unauthenticated attacker to trick a logged-in user into performing unintended actions on the Verge3D plugin. An attacker can send a crafted request that exploits the lack of proper CSRF protection in the affected plugin versions, potentially altering settings or triggering e‑commerce transactions without the user's knowledge. The weakness is classified as CWE‑352 and represents a data integrity and privacy impact for end users whose actions could be subverted.

The flaw affects Soft8Soft LLC’s Verge3D plugin for WordPress, all releases from the earliest known version through 4.8.2. Users of these versions should verify that the plugin is upgraded to a release later than 4.8.2, or that the affected functionality is disabled.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. CSRF attacks require the victim to be authenticated to the site and to have a browser session active; an attacker can craft a link or a form and lure the user to visit it. Because the plugin lacks adequate anti-CSRF tokens or proper request validation, the attack can be automated or executed through social engineering. Without an active session, exploitation is not possible, limiting the overall risk to authenticated users.