The Spare WordPress theme (themeton Spare) contains a CSRF flaw that lets an attacker force a logged‑in administrator to perform unintended actions on the site. The vulnerability stems from missing CSRF checks on actions such as creating or deleting content or changing settings. While it does not provide code execution, it permits the attacker to alter site state with the victim’s privileges.

All installations of the Spare theme version 1.7 or earlier are affected. This includes any WordPress site that has the theme deployed without being upgraded beyond 1.7.

The CVSS score of 4.3 indicates medium severity. The EPSS score is less than 1%, suggesting that the likelihood of exploitation in the wild is low. The vulnerability is not listed in CISA’s KEV catalog. The likely attack scenario, inferred from the vulnerability description, is that an attacker would need a victim who is authenticated to the site and would try to trick them into visiting a malicious URL, typically via social engineering or phishing. Because no public exploit code exists at present, the risk is moderate but the attack vector remains limited.