The snagysandor Parallax Scrolling Enllax.js plugin used in WordPress sites contains a CSRF flaw that lets attackers trigger state‑changing requests without a valid CSRF token. An authenticated user visiting a crafted URL or submitting a manipulated form could cause the plugin to modify its settings or perform other privileged actions, potentially tampering with the user experience or exposing sensitive configuration data. The weakness is identified as CWE‑352, reflecting a missing or improperly implemented CSRF guard.

This flaw affects the snagysandor Parallax Scrolling Enllax.js plugin for WordPress, versions up through 0.0.6. Site owners who have installed any version 0.0.6 or earlier are at risk unless the plugin has been updated. No other WordPress components are explicitly stated as affected.

The CVSS score of 4.3 places the flaw in the medium category, and its EPSS score of less than 1% indicates that real‑world exploitation is unlikely at present. Because the plugin lacks CSRF protection, an attacker can forge requests from an authenticated user’s browser, but the affected actions are confined to those exposed by the plugin’s interface. The vulnerability is not listed in the CISA KEV catalog, so its impact remains moderate for sites that have not yet upgraded, yet the potential to alter plugin configuration still warrants remediation.