The Float menu WordPress plugin contains a CSRF weakness that allows an attacker to alter the plugin’s configuration without proper authorization. This flaw exploits the fact that settings changes can be made through authenticated requests that lack sufficient non‑ce protection, enabling a malicious site to submit forged requests via a victim’s browser. The vulnerability directly affects the confidentiality of the site’s configuration and could be leveraged to enable further compromises. The associated weakness is classified as CWE‑352.

Any WordPress installation running Wow‑Company’s Float menu plugin version 6.1.2 or earlier is vulnerable. The affected product is the Float menu plugin shipped for WordPress sites; the exact version range is all releases up to and including 6.1.2.

With a CVSS score of 5.4 the flaw is of moderate severity. The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild, and the vulnerability is not catalogued in CISA’s KEV list. Based on the description, the attack path requires a victim to be authenticated to the administrative interface and to have a browser session active, after which a crafted request can alter plugin settings by exploiting the missing CSRF token check. Although the likelihood of exploitation remains small, the impact of an unauthorized settings change can enable broader attack surface expansion or bypass of security controls, so the interaction between a moderate severity score and the exploit probability should not be ignored.