A Cross‑Site Request Forgery vulnerability exists in ThemeGoods Grand Restaurant theme versions up to and including 7.0. The flaw enables an attacker to trick a logged‑in user into submitting a forged request that the site accepts as legitimate, potentially resulting in unauthorized changes or actions performed with the victim’s privileges. This weakness falls under CWE‑352 and can undermine the confidentiality, integrity, and availability of content managed through the affected WordPress installation.

The vulnerability is present in the Grand Restaurant theme distributed by ThemeGoods, affecting all theme releases from unspecified earlier versions through 7.0. The issue is triggered by the theme’s handling of state‑changing requests without proper CSRF protection.

The CVSS score of 4.3 indicates a medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Because CSRF relies on a victim’s authenticated session, an attacker would typically need to lure the user to a malicious site that submits a crafted request to the vulnerable WordPress site. The lack of protective tokens or reference checks makes exploitation straightforward for a determined threat actor, though the overall risk remains moderate due to the low exploitation probability.