This vulnerability in the Rootspersona plugin permits Cross‑Site Request Forgery. An attacker can trick a logged‑in WordPress user into submitting a request that modifies site data or configuration without their consent. The weakness arises from lack of proper verification of the origin or intent of the request, a classic CSRF fault identified as CWE‑352. It allows attackers to perform state‑changing actions that the user is authorized to perform, potentially compromising site integrity.

The flaw affects the Rootspersona plugin distributed by ed4becky, versions up to and including 3.7.5. Users running any of these versions are potentially vulnerable, regardless of other site plugins or themes.

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote web-based, where an adversary hosts malicious content that causes the victim’s browser to send a forgery request using stored authentication cookies. Because the flaw relies on the victim’s authenticated session, an attacker would need to entice a legitimate user to visit a crafted page or supply a script that triggers the action.