A Cross Site Request Forgery (CSRF) flaw exists in Vuong Nguyen’s WP Security Master WordPress plugin, affecting all versions through 1.0.2. The vulnerability allows an attacker to force a legitimate user who is authenticated to the plugin’s administrative interface to perform unintended actions, such as toggling settings, back‑dooring the site, or deleting content. While the exact extent of impact depends on the specific administrative functions exposed, any change made without the user’s explicit consent undermines the integrity of the site. The weakness is a classic CSRF token omission, identified as CWE‑352.

The vulnerability applies to every installation of Vuong Nguyen’s WP Security Master plugin from its earliest release up to and including version 1.0.2. The plugin is a WordPress‑based security suite that may run on shared or dedicated hosting environments and is typically activated via the WordPress plugins interface. Users who have not upgraded beyond 1.0.2 remain exposed.

The CVSS score of 4.3 reflects a moderate severity; the EPSS score of less than 1% indicates a very low exploitation probability according to current data, and the vulnerability is not listed in CISA KEV. The likely attack vector is surface‑level: an attacker crafts a malicious link or web page that triggers the vulnerable plugin’s endpoint when a logged‑in user visits it. Because the vulnerability does not require local privileges or sophisticated social engineering, an unobserved attacker could exploit it through a phishing or compromised website scenario. Even with low probability, the cumulative risk to site integrity makes immediate mitigation advised.