The vulnerability is a Cross–Site Request Forgery flaw in the Mailing Group Listserv plugin that allows an attacker to cause authenticated users to perform actions with permissions they hold. This can result in unintended changes to site or group settings, posting of spam, or modification of subscription lists. The weakness, identified as CWE‑352, enables an attacker to forge requests without the user's consent, effectively escalating privileges within the context of the logged‑in user.

The security issue affects the WordPress Mailing Group Listserv plugin developed by Yamna Khawaja when installed on any WordPress site. All releases up to and including version 3.0.5 are vulnerable; newer releases are not affected.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector requires a victim to be authenticated to the WordPress site and interact with the plugin’s functionality, typically via a crafted request from a malicious site while the victim is logged in. Based on this description, exploitation would be client‑assisted and would depend on a user visiting a malicious page or click‑through a link targeting the plugin’s endpoints.