Cross‑Site Request Forgery (CSRF) is present in the WordPress 결제 심플페이 pgall‑for‑woocommerce plugin. An authenticated user can be induced to issue unintended requests to the plugin’s endpoints, allowing attackers to perform arbitrary operations such as modifying payment settings, initiating fraudulent transactions, or altering user data. The flaw stems from a lack of proper CSRF protection for state‑changing operations, corresponding to CWE‑352.

The vulnerability affects the WordPress 결제 심플페이 pgall‑for‑woocommerce plugin version 5.2.11 and earlier. The plugin is distributed by codemstory and is commonly installed on WooCommerce‑based WordPress sites that utilize the SimplePay payment gateway. No other products or vendors are mentioned.

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% reflects a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitability requires a victim to be an authenticated user who visits a malicious page crafted by the attacker; the attacker can then trigger unwanted requests through the vulnerable plugin’s endpoints without user consent. Due to the nature of CSRF, an attacker cannot directly access a target system but can abuse the victim’s credentials to change critical payment configuration or perform unauthorized operations.