The WP Compiler plugin for WordPress contains a CSRF vulnerability that permits an attacker to force a logged‑in user to send a crafted request to the site, potentially triggering unintended state‑changing actions. While the official description does not list specific affected actions, the nature of CSRF typically allows malicious operations such as submitting forms or invoking plugin functionality without the user’s knowledge, thereby compromising the integrity of the site.

All WordPress installations that use the WP Compiler plugin by Bytes.co with a version of 1.0.0 or earlier are affected. Only users with sufficient privileges on the site are potentially impacted when they visit a malicious webpage that initiates the forged request.

The CVSS scoring of 4.3 reflects moderate severity given that an attacker would need a victim to be authenticated and present on a malicious site. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild. Because the flaw relies on a forged request that a visitor could be tricked into sending, the likely attack vector is through a malicious third‑party site that the victim connects to while logged into the target WordPress site. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited exploitation awareness at this time.