The vulnerability is a Cross‑Site Request Forgery flaw in the Elite Video Player plugin. The likely attack vector is a forged request made via a victim who is tricked into visiting a malicious site and inadvertently submitting a request to the target WordPress instance. An attacker who tricks a legitimate user into visiting a crafted page could cause the victim to unknowingly submit requests that alter the plugin’s configuration or perform other state‑changing actions. The impact is limited to authorization abuse and data modification rather than privilege escalation or denial of service; the CVSS score reflects a moderate risk.

The flaw affects the CreativeMedia Elite Video Player plugin in all releases from the earliest available through version 10.0.5. Users running any of these versions on WordPress sites are potentially vulnerable.

With a CVSS score of 5.4 and an EPSS probability of less than 1%, the likelihood of exploitation is low, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation typically requires a phishing or social‑engineering step to lure a privileged user to a malicious site that submits a forged request to the target WordPress instance. Once the request is accepted, the attacker can modify plugin settings or perform other actions permitted by the victim’s privileges.