The vulnerability is a Cross‑Site Request Forgery flaw that lets an attacker send a request to the Photo Engine’s wplr-sync endpoint while an authenticated user’s session is active. This can cause the plugin to perform unintended actions, such as synchronizing data or executing other privileged functions, without the user’s consent. The CVSS score of 4.3 indicates a moderate severity, reflecting that the flaw requires the victim to be logged in and offers limited impact outside the authenticated session.

All releases of Jordy Meow’s Photo Engine plugin up to and including version 6.4.3 are affected. This covers every supported release of the plugin that a WordPress site might have installed, regardless of earlier or later minor revisions.

The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting a low probability of active exploitation. Nevertheless, because CSRF attacks rely on a user’s authenticated session, an attacker could craft a malicious link or embed the endpoint in a compromised page, prompting the victim to unknowingly trigger the sync action. Therefore, while exploitation is unlikely in the wild, the impact on confidentiality and integrity remains significant if an attacker succeeds.