The CVE reveals a Cross‑Site Request Forgery vulnerability in the WordPress Ultimate Security Checker plugin that allows an attacker to trigger the plugin’s security rescan operation from the context of an authenticated user. This flaw could be used to perform unauthorized scans or potentially expose details about the site’s configuration without the user’s consent. The description indicates that the vulnerability exists in all releases up to and including version 4.2 of the plugin.

The affected product is bsndev Ultimate Security Checker. All plugin versions from the earliest release through version 4.2 are vulnerable. Users running any of these versions should review the list of official updates to determine if a fix has been released.

The CVSS score for this issue is 4.3, indicating a low risk level. The EPSS score is less than 1%, implying a low probability that this vulnerability will be exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. A CSRF attack requires an attacker to craft a request that tricks a logged‑in user into performing the rescan operation, typically by embedding a malicious link or form on an unrelated site. The overall risk is limited unless the plugin’s rescan operation itself reveals sensitive information or affects site performance.