The vulnerability is a Cross‑Site Request Forgery flaw (CWE‑352) in the Vollstart Serial Codes Generator and Validator with WooCommerce Support WordPress plugin. Based on the description, it is inferred that the vulnerability permits an attacker to induce an authenticated WordPress user to send a forged request to the plugin’s endpoint, allowing the attacker to make the user perform actions that the plugin processes. The flaw is inferred not to involve code execution or privilege escalation beyond the victim’s permissions.

The plugin version 2.7.7 and earlier of the WordPress plugin "Serial Codes Generator and Validator with WooCommerce Support" by Vollstart are affected. Any WordPress site that has this plugin installed and has not yet upgraded is potentially vulnerable.

The CVSS score of 4.3 labels the flaw as low severity. The EPSS score indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires a logged‑in WordPress user who is tricked into visiting a crafted URL or submitting a malicious form that targets the plugin’s endpoint. The description also implies that because the attack depends on user interaction and the victim’s authenticated state, the overall risk may be moderate for sites with proper access controls, though patching remains the recommended approach.