The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to trigger privileged actions within the WordPress site by tricking an authenticated user into submitting a forged request. The issue resides in the Theme Duplicator plugin version 1.1 or earlier, where no CSRF token is enforced on certain operations. If exploited, a malicious actor could perform actions such as duplicating or modifying theme data without providing valid credentials, potentially leading to data tampering or site compromise. The flaw is classified as CWE‑352 and poses a risk of unauthorized state‑changing operations but does not directly expose information or lead to remote code execution.

The affected asset is the WordPress Theme Duplicator plugin developed by Rohit Choudhary. Versions from the initial release through 1.1 are vulnerable. No other plugin or WordPress core component has been identified as affected.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. CSRF attacks typically require a victim user who is already authenticated to the site; an attacker can induce the user to visit a crafted URL that submits a form or triggers an HTTP request with the victim’s session cookie. Because the flaw lacks additional authentication checks, the attack vector is straightforward for a user with any site role. The low EPSS suggests that widespread exploitation is unlikely, but the existence of the flaw warrants attention if the plugin remains in use on a live site.