The payOS WordPress plugin contains a Cross‑Site Request Forgery flaw that allows attackers to cause a logged‑in user to submit unintended requests. Because the plugin does not verify the origin of state‑changing actions, a malicious webpage can trigger privileged operations within the plugin without the user’s knowledge. The vulnerability is present in all releases up to and including version 1.0.73 and is not covered by earlier versions. The CVSS score of 5.4 indicates a moderate severity, reflecting the limited scope to the victim’s authenticated session rather than a system‑wide compromise.

WordPress sites that run the Loc Bui payOS plugin version 1.0.73 or earlier are affected. The attack can impact any installation that has not applied the latest update, regardless of the host infrastructure, as the flaw exists within the plugin code itself.

The EPSS score of less than 1 % signals a very low likelihood of exploitation at present, and the flaw is not listed in the CISA KEV catalog. Attackers would need the victim to be logged into the WordPress site and to visit a malicious page that issues the forged request, which makes the exploitation dependent on user interaction. Despite the low exploitation probability, the ability to perform unauthorized actions on behalf of an authenticated user warrants prompt remediation, since such actions could alter configuration or transaction data.