Cross‑Site Request Forgery (CSRF) is a vulnerability that lets an attacker trick an authenticated user into submitting a malicious request. In the WordPress WP Performance Pack plugin, the flaw allows a state‑changing endpoint to be invoked without proper validation. The impact is that an attacker could perform actions on behalf of a logged‑in administrator or user, such as altering plugin settings or other privileged operations. This weakness aligns with the common CSRF class of faults (CWE‑352).

The WP Performance Pack plugin for WordPress, created by Bjoern, is affected. Versions up to and including 2.5.4 are vulnerable, meaning any WordPress site running those versions remains exposed.

The CVSS score of 4.3 places this vulnerability in the low‑to‑medium severity range, suggesting that while the damage is not catastrophic, it can still disrupt functionality for authenticated users. The EPSS score of <1% indicates that exploitation is considered unlikely on a global scale, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers most likely target the plugin by sending a crafted request to a logged‑in user; the exact server‑side mechanism is not detailed, but it is inferred that a state‑changing endpoint can be triggered remotely with an authenticated session.