The Smaily for WP plugin contains a CSRF weakness that lets an external attacker cause an authenticated WordPress user to send a request that the plugin will accept without proper CSRF protection. This flaw is described by CWE‑352 and can be exploited to modify plugin settings, send unintended email campaigns, or otherwise influence the WordPress site state. The vulnerability is rated with a CVSS score of 5.4, indicating a moderate impact if successfully abused.

WordPress sites that have the Smaily for WP plugin installed with any version up to and including 3.1.7 are affected. No specific pre‑3.0 versions are listed, so all unspecified older releases are also considered vulnerable.

The CVSS score of 5.4 places this flaw in the medium severity range. The EPSS score of less than 1% indicates a very low current exploitation probability, and it is not included in the CISA KEV catalog. The likely attack vector is a CSRF attack wherein a victim who is an authenticated user of the WordPress site is tricked into visiting a crafted URL or clicking a link that triggers the malicious request. Because the vulnerability relies on user authentication, it cannot be exploited by a remote attacker who is not logged in. However, once a user is authenticated, the attacker could perform actions within the plugin's capabilities. The overall risk is moderate, but mitigation via immediate patching is recommended to eliminate the attack surface.