The vulnerability is a Cross‑Site Request Forgery flaw in the PickPlugins Wishlist plugin for WordPress. The flaw allows a malicious site to craft and submit requests to the plugin’s endpoints and perform actions that the authenticated user would otherwise be required to initiate. Because the plugin does not validate the origin or include a unique nonce, it is possible for an attacker to trigger wishlist modifications, such as adding or removing items, without the user’s consent. No direct disclosure of sensitive data is indicated, but the flaw provides a vector for unauthorized account activity.

The affected product is the PickPlugins Wishlist plugin for WordPress, versions n/a through 1.0.46. Any WordPress installation that has this plugin in any of those versions and accepts user requests to its wishlist processing routes is vulnerable. Administrators should verify the installed version of the plugin on their sites and consider whether the version falls into the vulnerable range.

The CVSS score of 4.3 indicates a low overall severity, and the EPSS score of <1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, so there is no known widespread exploitation. The attack vector is inferred to be a remote attacker hosting a malicious webpage that submits a hidden form or makes an AJAX request to the victim’s WordPress site while the victim is authenticated. To successfully exploit the flaw, the victim must already have an active session with the target site and the attacker must be able to submit a crafted request that the plugin will accept.