The vulnerability allows a malicious user to craft requests that are accepted by the WordPress site and executed with the privileges of the victim user. The flaw stems from the absence of a proper CSRF token check in the Woocommerce Gifts Product plugin, so any state‑changing action performed through the plugin can be triggered without user interaction. The impact is primarily integrity and confidentiality of the gift product data and potentially broader site actions if the plugin’s backend routes are used. The issue is identified as CWE‑352.

The affected product is the WordPress Woocommerce Gifts Product plugin, version 1.0.0 or earlier, supplied by usamafarooq. This plugin is hosted on WordPress, but the vulnerability is specific to the plugin code base.

The CVSS score of 6.5 indicates moderate severity, and the EPSS is below 1 %, suggesting a low likelihood of widespread exploitation at this time. The CSRF nature of the flaw means an attacker would typically need a victim to visit a crafted URL or click a link, making the attack vector social‑engineering or phishing‑based. The vulnerability is not listed in the CISA KEV catalog, further supporting its current low threat level. Nonetheless, because the flaw permits attackers to change data without authentication, it remains a significant concern if a user is logged in.