Based on the description, it is inferred that this vulnerability enables an attacker to perform actions on behalf of an authenticated user within the WordPress site by exploiting the Theme Builder For Elementor plugin. Because the plugin accepts state‑changing requests without proper CSRF validation, a malicious site could craft a request that the site will execute, potentially altering theme settings, deleting content or other privileged operations. The weakness is identified as CSRF, rated under CWE‑352. The CVSS score of 6.5 indicates a moderate severity level.

The affected product is the BlocksWP Theme Builder For Elementor plugin for WordPress. Versions from the earliest available release up to and including 1.2.3 are vulnerable. No specific build numbers are provided beyond this upper limit.

The EPSS score is below 1 %, suggesting rare exploitation attempts. The vulnerability is not listed in the CISA KEV catalog, indicating a low public exploitation footprint. Based on typical CSRF mechanics, it is inferred that an attacker would need the victim to be logged into the WordPress site; thus the primary risk target is active administrators or users with elevated privileges. The CVSS base score of 6.5 reflects that an attacker could gain unauthorized capability but the attack is limited to the victim’s authenticated session, narrowing the opportunity window.