The vulnerability is a classic CSRF flaw in the Automated Developer plugin for WordPress, identified as CWE‑352. An attacker can trick an authenticated site administrator or user into executing actions they did not intend, potentially altering settings or executing harmful requests without the user’s knowledge. The reported CVSS score of 4.3 indicates a medium impact, meaning that while the flaw does not directly lead to arbitrary code execution, it can still compromise the integrity of the site’s configuration and content. The risk is confined to the privileges of the authenticated user who falls victim to the spoofed request.

WordPress sites running the Automattic Developer plugin version 1.2.6 or earlier are subject to this issue. The flaw spans all releases from the earliest documented version through 1.2.6, meaning any site that has not upgraded past 1.2.6 remains vulnerable.

The EPSS score of less than 1% suggests that while the flaw exists, the likelihood of widespread exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploiting the flaw requires the attacker to lure a logged‑in user to a malicious page or to embed a forged request, making the likely attack vector user‑initiated or phishing‑based. Compatibility with most browsers and the necessity of the victim’s authenticated session make the exploitation straightforward for an attacker targeted at administrators. However, due to the low EPSS, large‑scale exploitation has not been observed yet.