The vulnerability is a classic CSRF flaw that permits an attacker to trigger legitimate actions performed by a logged‑in user within the WordPress site. By crafting a request that exploits the plugin’s lack of proper CSRF protection, an attacker can cause the plugin to execute operations that the user has permission for, potentially altering order numbers or other sensitive data. This weakness is identified as CWE‑352 and does not grant remote code execution, but it can be used to elevate an attacker’s permissions within the scope of the authenticated user.

The flaw affects the BeRocket Sequential Order Numbers for WooCommerce plugin in all releases up to and including version 3.6.2 on WordPress sites that use WooCommerce. No specific WordPress version constraints are listed, so any site running this plugin within the affected version range is vulnerable.

The CVSS score of 4.3 reflects a moderate severity, and the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been widely exploited. Attackers would most likely attempt to lure a site administrator or an authenticated user into visiting a crafted URL or clicking a malicious link, thereby using the user’s own credentials to perform unwanted actions.