The vulnerability is a CSRF flaw in the Labinator Content Types Duplicator WordPress plugin. The flaw allows a malicious actor to cause the plugin to perform actions on behalf of a logged‑in user without their knowledge. The official description notes that the flaw exists from the initial release through version 1.1.3, but it does not detail the exact protection missing. The weakness is identified as CWE‑352, meaning improper validation of the origin of requests can lead to unintended actions by authenticated users, which can affect the integrity of site content or configuration.

The issue affects WordPress sites running the Labinator Content Types Duplicator plugin version 1.1.3 or earlier. Administrators who have retained legacy releases from the initial release up to and including 1.1.3 are at risk; all newer releases are presumed fixed.

The CVSS score of 4.3 places the issue in the moderate severity range. The EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, supporting a low risk of widespread attacks. While the description does not specify the exact exploitation path, CSRF flaws typically require a user who is authenticated and has sufficient privileges to perform the compromised actions, and permission to trigger the offending request. If an attacker can craft a request that mimics a legitimate plugin action, the site may duplicate content, change settings, or otherwise alter its state without the user’s consent.