Cross-Site Request Forgery (CSRF) allows an attacker to perform actions in WordPress that the authenticated user would normally be able to execute. In the case of the Listamester plugin, a malicious site could coerce a logged-in administrator or editor into triggering unintended requests that would affect site content or settings, potentially leading to unauthorized content manipulation or administrative changes. The flaw stems from the plugin’s failure to validate or reject unauthorized requests, a weakness identified as CWE-352.

WordPress sites running the Listamester plugin, specifically any release up to and including version 2.3.6. The vulnerability applies to all installations where the plugin is active, regardless of the site’s WordPress core or theme versions.

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a CSRF scenario that requires a user to be logged into the site; attackers would need to lure the user to a malicious page that submits forged requests to the Listamester plugin’s endpoints. While the vector is not trivially exploitible, the existence of the flaw means that any authenticated user could be coerced into performing unwanted actions.