The vulnerability is a Cross‑Site Request Forgery flaw (CWE‑352) that allows an attacker to cause the plugin to perform actions without the user’s knowledge or consent, potentially modifying shipping rules or related settings. This can compromise data integrity and control over shipping logic, giving an attacker an indirect means to influence order processing and fulfillment.

WordPress sites that have installed the Conditional Shipping for WooCommerce plugin from WP Trio, version 3.4.0 or earlier. No newer versions are reported to be affected.

The CVSS score of 6.5 reflects a moderate severity, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA's KEV catalog. Attackers can exploit this flaw by tricking a user into visiting a malicious webpage, where a forged request is sent to the plugin’s endpoints. The likely attack vector involves a user browsing to a malicious page that submits a forged request, but the CVE data does not specify whether the attack requires user authentication; this requirement is an unknown factor and should be treated as uncertain. Because the loss of control over shipping logic can lead to significant operational impact, the potential damage can be substantial if the vulnerability is exploited. The combination of moderate CVSS, very low EPSS, and absence from KEV suggests a low overall likelihood of widespread exploitation but a non‑negligible impact if an attacker can target a specific site.