The Usermaven plugin for WordPress contains a CSRF flaw that allows an attacker to trick a logged-in user into performing unintended state‑changing actions. This weakness is classified as CWE-352 and can lead to unauthorized modifications of user data or configuration if the site never validates the source of requests. While the flaw does not provide direct code execution, its impact is the loss of integrity of user‑managed data and potential escalation of privileges within the WordPress installation.

The vulnerable component is the Usermaven WordPress plugin, versions 1.2.1 and earlier. Any WordPress site that has installed this plugin without upgrading beyond version 1.2.1 is at risk. The vulnerability affects all releases from the starting point of the plugin’s public availability up to and including 1.2.1.

With a CVSS score of 4.3 the issue is of moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers would typically need a victim who is already authenticated to the site and could be induced to visit a malicious page that submits a forged request against the Usermaven endpoints. The exploit is straightforward for a skilled adversary, but requires user interaction.