A Cross‑Site Request Forgery (CSRF) vulnerability (CWE‑352) exists in the Shohei Tanaka Japanized For WooCommerce WordPress plugin. The flaw lets an attacker send forged HTTP requests that the plugin treats as valid, potentially enabling the attacker to trigger WooCommerce actions such as placing orders, modifying orders or changing settings. The impact is that the authenticity of user‑initiated actions is undermined, compromising the integrity of the store’s transactions.

WordPress installations that have installed any version of the Shohei Tanaka Japanized For WooCommerce plugin up to and including version 2.6.40 are vulnerable. Any site that has not upgraded past this version remains at risk.

The CVSS score of 5.4 indicates a medium severity flaw while the EPSS score of less than 1 % points to a very low likelihood of exploitation at present time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker would need to entice a logged‑in user to click a crafted link or submit a forged form that targets the plugin’s back‑end, exploiting the missing CSRF protection; this inference is based on the nature of CSRF attacks. If successful, the attacker could enforce any server‑side action the authenticated user is authorized to perform within WooCommerce.