The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to change the settings of the LessButtons Social Sharing and Statistics plugin without authorization. By exploiting the missing CSRF protection, an attacker could modify configuration values such as shared URLs or feature toggles, potentially causing mis‑configured social sharing links or exposing the site to further attacks. This type of flaw undermines the integrity of the plugin’s configuration and can lead to unintended data exposure or loss of control over social features.

The affected product is the WordPress LessButtons Social Sharing and Statistics plugin developed by Chris Clark. Versions from any initial release up through and including 1.6.1 are vulnerable. Any WordPress site that has installed a legacy or current version of this plugin up to 1.6.1 without applying a patch is at risk.

With a CVSS score of 4.3 and an EPSS of less than 1%, this weakness is considered moderate but the low exploitation probability indicates it is not widely targeted. An attacker would need to trick a logged‑in administrator into visiting a crafted URL or submitting a forged form, which is a typical CSRF attack pattern. The vulnerability is not present in CISA’s KEV catalog, so there is no evidence of widespread exploitation. Nonetheless, the potential impact on configuration integrity warrants timely remediation.