The vulnerability is a Cross‑Site Request Forgery flaw in the FluentSnippets easy‑code‑manager plugin for WordPress. Because the plugin lacks proper CSRF protection, an attacker who can trick an authenticated user into visiting a crafted URL can cause that user to execute arbitrary administrative actions, such as creating or deleting snippets, changing settings, or otherwise modifying site content. This flaw is classified as CWE‑352 and has a CVSS score of 9.6, indicating that successful exploitation would grant the attacker high‑level influence over the affected site.

The flaw affects all instances of the Shahjahan Jewel FluentSnippets plugin for WordPress with a version of 10.50 or earlier. The version range is from the initial release through 10.50 inclusive. Any WordPress site running this plugin version spectrum is vulnerable.

Despite the EPSS score being listed as <1%, the CVSS score of 9.6 signals a severe risk. The likely attack vector is not explicitly stated, but based on the description, it is inferred that an attacker can trick an authenticated user into visiting a crafted URL that triggers administrative actions through the vulnerable endpoint. The attacker does not need special privileges beyond tricking an authenticated user, so the exploit path is simple: craft a request that targets the vulnerable endpoint and lure a logged‑in user to it. The flaw is not in CISA’s KEV catalog, but the low EPSS does not diminish the inherent severity of the flaw. System administrators should treat this as a high‑risk vulnerability and act promptly.