The reported vulnerability is a CSRF flaw (CWE-352) in the My Wp Brand WordPress plugin that permits an attacker to cause a logged‑in user to execute actions the user did not intend. The plugin fails to validate the origin or authenticity of state‑changing requests, enabling the attacker to trigger operations such as modifying plugin settings, deleting content, or performing other privileged tasks through a crafted request. Although the impact is limited to the permissions of the authenticated user, it can lead to unauthorized content changes, loss of data, and potential site compromise if the privileged user has administrative rights.

This flaw affects the My Wp Brand plugin released by imw3, for all versions up to and including 1.1.3. The description lists the range from n/a through 1.1.3, indicating that all available releases up to that version are vulnerable. The plugin is integrated into WordPress sites that have installed it. No specific WordPress core version requirement is noted, so the issue is relevant wherever the plugin is present.

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at the time of analysis. This vulnerability is not present in the CISA KEV catalog. It is a classic web‑application CSRF where the attacker would need to get the victim to visit a malicious page or click a link while their browser remains authenticated to the target site; the explanatory description does not mention any additional attacker privileges, so a typical user session is sufficient. Based on the description, it is inferred that the attacker can perform the exploit remotely through the victim’s browser, making the vector web‑based.