The vulnerability is a classic Cross Site Request Forgery flaw in the YITH WooCommerce Popup WordPress plugin. It allows an attacker who tricks an authenticated user or an administrator into visiting a crafted link or form to perform unauthorized actions on behalf of that victim. The flaw does not lead to remote code execution or direct data exfiltration, but it can cause unwanted changes to site configuration, popup settings, or other plugin behavior. The weakness is identified as CWE-352.

WordPress sites installing YITHEMES’ YITH WooCommerce Popup plugin with a version number from the earliest release through 1.48.0 are affected. The default package has no explicit lower bound in the vendor information, so any installation with a version equal to or less than 1.48.0 is potentially vulnerable.

The CVSS score of 4.3 classifies the flaw as moderate in severity. The EPSS score of <1% indicates a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog, further reducing the risk posture. Likely exploitation requires a user to be authenticated to the site and to click a malicious link or submit a crafted form in the browser, so standard web‑browser interaction is the inferred attack vector.