This flaw is a Cross‑Site Request Forgery that allows an external site to trigger the user deactivation action of the Civi Framework plugin without the victim’s direct interaction. An attacker can construct a malicious request that, when sent from a user who is authenticated to the site, deactivates the user account. As a result, legitimate users or administrators may lose access, potentially disrupting site operation and control. The underlying weakness is CSRF (CWE‑352).

Systems that host the uxper Civi Framework plugin and run any version up to and including 2.1.6 are impacted. The plugin is distributed by the vendor uxper. All releases of the plugin with a version number of 2.1.6 or earlier are therefore considered vulnerable.

The CVSS score of 7.1 reflects a high severity, indicating significant impact if exploited. The EPSS score of less than 1% shows that the likelihood of exploitation is presently very low, although non‑zero. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it via a CSRF attack: by luring an authenticated user to a malicious URL or embedding a hidden form, the attacker can cause the deactivation endpoint to be invoked using the victim’s credentials. No elevated privileges beyond those of the authenticated user are required, so the impact can scale from the loss of a single user to the loss of administrative control if an admin account is deactivated.