The WP Show Stats plugin for WordPress contains a Cross‑Site Request Forgery vulnerability that allows an attacker to perform actions on a site using the privileges of an authenticated user. By exploiting the lack of a proper CSRF token or request origin validation, the attacker can trigger state‑changing operations, potentially altering displayed statistics or other plugin data. Confidentiality is not directly exposed, but integrity of the statistical data and the availability of the plugin to users can be compromised. The weakness is categorized as a CSRF flaw (CWE‑352).

WordPress sites running the WP Show Stats plugin by Ashish Ajani, version 1.5 or earlier are vulnerable. System administrators should check if their WordPress installations include this plugin and note that any deployment using the indicated versions is affected.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating limited public exploitation. The attack vector is inferred to be network-based, as the flaw can be triggered through a regular web request to the WordPress site. A logged‑in user could be tricked into visiting a crafted URL or submitting a form that performs unintended actions within the plugin.