The LWS SMS plugin for WordPress contains a Cross‑Site Request Forgery vulnerability that allows an attacker to force a logged‑in user to submit forged requests to the plugin. The plugin lacks the necessary CSRF tokens on its sensitive endpoints, as inferred from the description that the flaw "allows Cross Site Request Forgery." If exploited, the attacker could trigger any operation that the authenticated user is permitted to perform, such as altering plugin settings or sending messages, although the exact actions are not specified in the advisory.

Versions of the LWS SMS plugin up to and including 2.4.1 are affected, as stated by the vendor. No later releases are noted, and earlier revisions are considered unimpacted by the current information.

The vulnerability is rated with a CVSS score of 5.4, placing it in the moderate risk range. Its EPSS score is reported as less than 1%, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, further suggesting that active exploitation is unlikely at present. The likely attack vector is that an attacker would target a legitimate user with a crafted URL or form that could be embedded in a malicious page; this is inferred from the nature of CSRF attacks. Given the moderate severity and low exploitation probability, the risk is manageable but still warrants timely remediation to prevent potential misuse.