The vulnerability is a classic CSRF flaw that allows an attacker to forge a request on behalf of an authenticated user within a WordPress site. By triggering the import feature without the victim’s knowledge, an attacker can make the site fetch and attach external resources or perform other privileged actions available to that logged‑in user. The impact is the execution of unintended actions that may lead to unauthorized content changes, potential data corruption or, if the plugin allows malicious code, further exploitation. The weakness is classified as CWE‑352, indicating a failure to validate or enforce an anti‑CSRF token or a similar mitigation.

The affected product is the WordPress Import External Attachments plugin developed by ryanpcmcquen, specifically versions through and including 1.5.12. Any site running this plugin version is potentially vulnerable.

The CVSS score of 4.3 indicates a moderate severity risk. The EPSS score of less than 1% suggests a very low probability of exploitation at this time. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the victim to be authenticated and the attacker to persuade or trick the victim into loading a malicious request, such as by clicking a crafted link or visiting a malicious page while logged into the site. No specialized infrastructure or privilege escalation is required beyond normal user authentication.