The defect is a Cross‑Site Request Forgery flaw that allows an attacker to craft a malicious request that the WordPress site will perform on behalf of a logged‑in user. The vulnerability can lead to arbitrary SQL query execution, potentially enabling full compromise of the database. Such an injection can allow attackers to read, modify, or delete sensitive data and, in the worst case, pivot to further attacks against the host. The weakness is identified as CWE‑352.

The problem exists in the sh1zen WP Optimizer plugin, all released versions through and including 2.5.0. Users running older or the listed versions are affected, regardless of the WordPress core version. No other products or vendors are reported to be impacted by this weakness.

The CVSS score of 9.6 classifies the flaw as critical, and the EPSS score of less than 1% indicates that exploitation is currently considered unlikely, though the risk remains high if the plugin is used. The vulnerability is not listed in the CISA KeV catalog, but its severity warrants immediate attention. The likely attack vector is a CSRF request originating from any page that can be loaded by a logged‑in administrator, as the description infers that an attacker can cause the site to execute arbitrary SQL via that flaw. Proper access control and a valid CSRF token are required to prevent exploitation, but the current implementation fails to enforce them.