The vulnerability is a Cross‑Site Request Forgery flaw in NiteoThemes' CLP – Custom Login Page plugin, allowing an attacker to trick a logged‑in user into performing unintended actions on the WordPress site. The plugin fails to validate or require a CSRF token for key administrative operations, granting attackers the ability to change login settings, alter site behavior, or submit content without the user’s knowledge. This weakness is mapped to CWE‑352 and carries a CVSS score of 4.3, indicating a moderate impact.

Affected products include the NiteoThemes CLP – Custom Login Page plugin for WordPress, specifically any release up through version 1.5.5. No other plugin versions are listed as vulnerable in the official advisories, so upgrades beyond 1.5.5 are presumed safe.

The risk of exploitation is moderate in severity but low in likelihood (EPSS < 1 %). Attackers would need to target a site that still runs the vulnerable plugin and have a victim authenticated against it, sending a crafted request that the plugin accepts without nonce verification. Because the vulnerability is not in the CISA KEV catalog and the exploit requires user interaction within the browser, the threat landscape remains limited but still measurable. Administrators should treat the plugin as a medium‑risk asset pending remediation.