The vulnerability is a Cross‑Site Request Forgery flaw in the Century ToolKit plugin for WordPress. An attacker who tricks a legitimate user into visiting a crafted URL can cause WordPress to activate any plugin present on the site without authentication. Activation of a malicious or vulnerable plugin can then enable code execution or further compromise. The weakness is classified as CWE‑352 and directly impacts the confidentiality, integrity, and availability of the WordPress installation by allowing unauthorized configuration changes.

Theme Century’s Century Toolkit plugin for WordPress is affected. All installations running version 1.2.1 or earlier are vulnerable; the flaw exists in every release up to and including 1.2.1 and affects any site that has the plugin installed.

The CVSS score of 5.4 indicates moderate severity. The EPSS score is less than 1%, implying a low likelihood of exploitation in the near term, and the vulnerability has not entered the CISA KEV catalog. The likely attack vector is a remote, unauthenticated request that can be triggered from a victim’s browser, exploiting the missing CSRF token to enable arbitrary plugin activation and potentially lead to more serious compromise.