A CSRF flaw exists in the WPDM – Premium Packages plugin, allowing a malicious site to make state‑changing requests on behalf of an authenticated WordPress administrator. The vulnerability stems from missing or insufficient anti‑CSRF tokens (CWE‑352) and can be exploited by sending a crafted request that the victim’s browser will automatically submit. While it does not directly grant remote code execution, an attacker can modify plugin configuration or potentially lift restrictions, compromising the confidentiality and integrity of site content.

The flaw affects the WPDM – Premium Packages plugin from indeterminate starting versions through 6.0.2, according to the vendor. Any WordPress installation running a vulnerable version of this plugin is at risk.

The CVSS score of 4.3 reflects a moderate impact and requires user interaction, which suggests that exploitation relies on persuading an authenticated administrator to visit a malicious site. The EPSS score of less than 1% indicates that, at present, attacks are unlikely, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack path involves a phishing or drive‑by site that tricks a logged‑in user into performing a privileged request, so the overall risk is moderate but mitigated by the requirement for victim participation. Timely patching remains the most effective countermeasure.