The vulnerability allows attackers to forge requests that are processed by the plugin on behalf of an authenticated administrator, potentially altering pricing rules without explicit consent. This flaw directly abuses the lack of proper CSRF protection, enabling unauthorized changes to configuration and commerce settings. The weakness is classified as CWE‑352, a classic CSRF flaw that undermines the integrity of user‑initiated requests.

Any WordPress site that has the ThemeHigh Dynamic Pricing and Discount Rules plugin installed with a version up to and including 2.2.9 is affected. The plugin is available through the WordPress plugin repository and may be present on a wide range of e‑commerce sites.

The CVSS score of 4.3 indicates a moderate impact, but the EPSS score of less than 1% suggests that exploit attempts are unlikely at this time. The issue is not listed in the CISA KEV catalog, further reducing its likely visibility in public exploits. An attacker can trigger the flaw by sending a crafted link to an administrator, thus exploiting the weaponized absence of CSRF tokens. While the attack requires the target to be logged in, ordinary visitors cannot trigger the modification. The path to exploitation is therefore widely available but limited to user sessions with administrative privileges.