The vulnerability stems from missing CSRF token validation (CWE-352) during certain actions performed by the Easy Child Theme Creator plugin. As a result, an attacker can trick an authenticated WordPress administrator into executing unwanted changes to the site’s theme settings or other administrative actions, compromising the integrity of the site’s appearance and functionality. While this does not provide direct code execution, the impact can be significant by altering site presentation or enabling further attacks if other privileged actions are available.

The affected product is the WordPress Easy Child Theme Creator plugin by Ashok G, versions from the initial release through 1.3.1. Any WordPress site running one of these versions remains vulnerable until the component is updated to a fixed release.

The CVSS score of 4.3 indicates a moderate risk, and an EPSS score of less than 1% suggests a very low likelihood of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to lure an authenticated user to a malicious URL or crafted link; once the authenticated request is sent, the plugin processes the action without further verification, enabling the attacker to perform unauthorized changes.