Cross‑Site Request Forgery (CSRF) in the SwiftXR (3D/AR/VR) Viewer plugin allows an attacker to execute actions on the site without the user’s consent. The flaw is rooted in the lack of proper CSRF protection, which is a weakness identified as CWE‑352. A successful exploit could let an attacker submit requests that perform functions such as modifying settings, adding content, or otherwise altering the site state, potentially leading to data loss or service disruption if sensitive operations are affected.

The vulnerability impacts the SwiftXR (3D/AR/VR) Viewer plugin for WordPress, affecting all releases from the earliest version up through 1.0.7. Users who have not applied the vendor’s latest patch or replacement for the plugin are at risk.

The CVSS score is 5.4, indicating moderate severity, while the EPSS score is below 1 %, suggesting that exploitation is unlikely in the near term. The vulnerability is not listed in CISA’s KEV catalog, so there is no public evidence of active exploitation. The likely attack vector involves a user who is already authenticated: a malicious site could craft and send a request that the victim’s browser automatically submits, leveraging the victim’s credentials to perform unintended actions.