The vulnerability is a Cross‑Site Request Forgery flaw in the WordPress wp‑cyr‑cho plugin, allowing an attacker to trick an authenticated user into performing unwanted actions performed by the plugin. Because the plugin lacks proper CSRF protections, any request that triggers sensitive functionality can be forged. An attacker who successfully forces the user to visit a malicious link could cause the plugin to modify settings or submit data without the user’s consent. The flaw is identified as CWE‑352.

Any WordPress site that has the wp‑cyr‑cho plugin in a version up to and including 0.1 is affected. The plugin is distributed by the vendor ktsvetkov under the codenamed wp‑cyr‑cho. No specific WordPress core version is mentioned, so the vulnerability applies to any installation containing those plugin versions regardless of the WordPress version.

Based on the description, the likely attack vector involves an authenticated user being tricked into visiting a crafted URL or submitting a forged request while authenticated. The CVSS score of 4.3 indicates a moderate impact. The EPSS score of less than 1% shows that the probability of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to drive a target user to a crafted URL or otherwise coerce them to submit a forged request while authenticated. Once the user is tricked, the plugin executes the request, potentially allowing the attacker to alter plugin settings or trigger other actions controlled by the plugin.