The WP-Database-Optimizer-Tools plugin up to version 0.2 contains a Cross‑Site Request Forgery vulnerability that allows an attacker to perform actions defined by the plugin without the user’s consent. The weakness, identified as CWE‑352, means that an unauthenticated attacker could trick a logged‑in administrator into executing a malicious request that modifies or optimizes the WordPress database, potentially leading to data loss or corruption. This represents a moderate security risk because the attacker must exploit the plugin interfaces but does not require more privileged access.

The vulnerability affects all releases of WP‑Database‑Optimizer‑Tools by pl4g4 that are version 0.2 or earlier. No specific sub‑release information is supplied, so any install of the plugin in this range is considered vulnerable.

The CVSS score of 5.4 indicates a medium severity, and the EPSS score of less than 1% suggests that exploitation is considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve a victim who has administrative rights to the WordPress site being tricked into visiting a malicious website that submits a forged request. The attacker benefits from the victim’s authenticated session, and a successful forgery could read or alter database contents. No active exploits have been reported, so the risk is primarily theoretical but remains present if the plugin is kept in the vulnerable state.