The vulnerability is a Cross‑Site Request Forgery flaw in the Custom Fields Account Registration For Woocommerce plugin. An attacker can forge requests that appear to originate from an authenticated user, potentially changing account details or performing actions within a WooCommerce store. The flaw stems from missing CSRF protection, a weakness classified as CWE‑352, and can lead to unauthorized account modification or other state‑changing operations.

The issue affects the silverplugins217 Custom Fields Account Registration For Woocommerce plugin with versions up to and including 1.1 on WordPress sites that use WooCommerce. No specific WordPress core or WooCommerce versions are listed, but any site installing this plugin's affected releases is vulnerable.

The CVSS score of 4.3 indicates medium severity. The EPSS score of < 1 % and absence from the CISA KEV catalog suggest that, at present, exploitation is unlikely, but the vulnerability remains valid. Commonly, CSRF attacks require the victim to visit a malicious link while logged into the site, making the attack vector legitimate and widely usable if the plugin is enabled. The lack of a particular “remote code execution” scenario keeps the risk moderate but still actionable for administrators.