Cross‑Site Request Forgery in the SCSS‑Library WordPress plugin permits an attacker to trick a logged‑in user or the site itself into submitting malicious requests that perform privileged actions. Based on the description, it is inferred that the root cause may involve missing or improperly validated CSRF tokens on state‑changing endpoints, but the CVE description does not explicitly state this. An attacker can target the site by hosting a malicious page that submits a form or AJAX request to the plugin’s URLs, leading to unauthorized content modifications, configuration changes, or other unintended server‑side operations. The impact is local to the site that hosts the vulnerable plugin, potentially compromising both data integrity and confidentiality for users who are logged in or for the website operator.

Software affected is the SCSS‑Library plugin for WordPress developed by Sebastian Echeverry. All releases from the initial release up to and including version 0.4.1 are vulnerable. WordPress sites running SCSS‑Library 0.4.1 or earlier lack the necessary CSRF protections on their plugin endpoints. No other plugins or WordPress components are mentioned as affected by this CVE.

The CVSS base score of 4.3 indicates a medium severity due to the limited impact. The EPSS score of less than 1% shows that public exploits are unlikely or currently rare. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed exploitation in the wild. The most likely attack vector is inferred to be web‑based, where the attacker hosts a crafted page that submits requests to the victim site through a user with an active session or through a vulnerable plugin endpoint. Because the flaw does not require authentication, any visitor to the site could be targeted, but the attacker must rely on the victim’s browser to execute the forged request.