Cross‑site request forgery is a vulnerability that allows an attacker to trick a victim’s browser into submitting a request to a site where the victim is authenticated. The Animator scroll‑triggered‑animations plugin is described as accepting POST requests that may be forged; it does not explicitly state whether it performs origin or referer checks. It is inferred that the lack of such validation would allow a malicious page to send a forged request automatically, enabling the attacker to perform any action the authenticated user is authorized to do, such as altering plugin settings or publishing content.

The issue affects the Toast Plugins Animator plugin for WordPress versions up to and including 3.0.16. Any site using a vulnerable version may be exposed to CSRF attacks.

With a CVSS score of 4.3 the flaw is of moderate severity, while the EPSS score of less than 1% suggests low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the nature of CSRF, an attacker would need to entice an authenticated user to visit a malicious page that submits a forged request, so the attack vector is remote but relies on the victim’s authentication state.