The vulnerability is a Cross‑Site Request Forgery flaw that enables an attacker to cause a logged‑in WordPress user to submit a request to the WooCommerce Single Page Checkout plugin without the user’s consent. By exploiting this weakness, an attacker could potentially place unauthorized orders or alter purchase details, compromising the integrity of transaction data within the e‑commerce store.

The affected product is the WooCommerce Single Page Checkout plugin developed by brijrajs. Versions of the plugin from the initial release up to and including 1.2.7 are affected. The vulnerability exists within the WordPress ecosystem when this plugin is installed and activated.

The CVSS score of 4.3 indicates a moderate level of severity, with the likelihood of exploitation reflected by an EPSS score of less than 1 %. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw by hosting a malicious website that includes a hidden transaction request, persuading an authenticated user to visit the page, or by leveraging social engineering to trigger the request. Because the flaw involves the lack of proper anti‑CSRF protections, no additional authentication beyond the user’s current session is required for the exploitation to succeed.