The vulnerability allows an attacker to craft and send forged HTTP requests to the WordPress AgreeMe Checkboxes For WooCommerce plugin. Because the plugin does not verify a token or nonce that proves the request originates from a legitimate authenticated session, a malicious request can be accepted and processed by WooCommerce. An attacker who can trick a logged‑in user into visiting a malicious page can trigger unauthorized actions, possibly resulting in unintended changes to the site’s configuration, products, or user accounts.

The flaw exists in all released versions of the Amin Y AgreeMe Checkboxes For WooCommerce plugin through and including 1.1.3. Any WordPress installation that has this plugin enabled and activated is susceptible, regardless of its other components or themes.

The CVSS score of 4.3 classifies the issue as moderate, and the EPSS score of less than 1 % indicates a low but non‑zero chance of exploitation. The vulnerability is not listed in CISA’s KEV catalog. A likely exploitation path involves an actor hosting a fake or compromised site that contains a malicious link or script which sends a forged request to the vulnerable plugin while the victim is logged in to the WooCommerce site. Because the plugin lacks a CSRF token check, the forged request is interpreted as legitimate, enabling the attacker to perform actions the user intended would be restricted.