The Verge3D plugin for WordPress contains a cross‑site request forgery vulnerability (CWE‑352) that allows an attacker to induce a logged‑in user to perform actions without the user’s consent. An attacker can craft a malicious request that the browser will automatically submit on behalf of the victim, potentially changing plugin settings, initiating downloads, or executing other privileged functions that the plugin exposes. Because the vulnerability permits state change without user confirmation, it can lead to unauthorized configuration changes, data loss, or contamination of the site content.

The affected product is Soft8Soft LLC’s Verge3D WordPress plugin. All plugin versions up through 4.9.0 are vulnerable, including any earlier releases. The plugin is typically installed on sites that run WordPress, so the vulnerability applies to any WordPress site that has an older Verge3D plugin installed.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests that the likelihood of an exploit is currently low. The vulnerability is not listed in CISA’s KEV catalog, further indicating it has not yet been widely leveraged by threat actors. The most probable exploitation scenario requires an authenticated victim; an attacker would need to convince the victim to visit a crafted URL or click a malicious link while the victim is logged into the site. Because the flaw lacks an authentication bypass, it cannot be exploited by non‑authenticated users. The risk remains moderate until the plugin is updated.