Cross‑Site Request Forgery (CSRF) in the highwarden Super Store Finder WordPress plugin allows an attacker to make authenticated requests on behalf of a logged‑in user. The flaw is present in all releases up to version 7.5 and permits the attacker to perform any action that is permitted by the victim’s WordPress role, potentially stealing data, publishing content, or changing settings. The weakness is identified as CWE‑352.

All installations of the highwarden Super Store Finder plugin for WordPress with version 7.5 or earlier are vulnerable. The plugin is distributed under the highwarden namespace and is commonly used to provide store location search functionality. No other product families are mentioned.

The CVSS score of 4.3 indicates low‑moderate severity. The EPSS score of < 1 % shows that the probability of exploitation is minimal at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to be authenticated to WordPress and to have the CSRF‑enabled form or endpoint accessed by the attacker’s site, so it is largely a “social‑engineering” style attack that depends on user interaction. The overall risk to servers is therefore limited but should not be ignored, especially on sites with high‑value content or administrative functions exposed through the plugin.