Cross‑Site Request Forgery exists in the WordPress 404 Image Redirection (Replace Broken Images) plugin when its version is 1.4 or earlier. The vulnerability allows an attacker to send HTTP requests that the plugin interprets as if they were issued by a legitimate user, enabling the attacker to modify plugin settings or trigger privileged actions without the user’s explicit approval. This flaw constitutes a classic CSRF weakness (CWE‑352) and poses a risk to data integrity and site configuration.

The issue impacts the wp‑buy WordPress plugin titled 404 Image Redirection (Replace Broken Images) across all releases from its initial availability through version 1.4. WordPress sites that have this plugin installed and have not upgraded beyond 1.4 remain vulnerable.

The CVSS score of 4.3 rates the vulnerability as moderate severity, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. It is not listed in the CISA KEV catalog. The likely attack requires a victim to be logged in to the WordPress site so that the forged request contains a valid session cookie; this is inferred from the CSRF nature of the flaw. A social‑engineering campaign that directs a target to a malicious URL could trigger the exploit, allowing the attacker to alter plugin configuration or perform other state changes on the site.