The vulnerability is a Cross‑Site Request Forgery flaw in the purethemes WorkScout‑Core WordPress plugin, version 1.7.06 and older. Because the plugin does not validate that requests originate from legitimate administrative sessions, an attacker can cause an authenticated user to perform privileged actions with the victim’s credentials, potentially altering site content or user data. The weakness is categorized as CWE‑352.

Any installation of the purethemes WorkScout‑Core plugin older than 1.7.06, including all earlier releases. The issue applies to all WordPress sites that have the plugin activated in those versions.

The CVSS severity of 8.8 indicates high impact, and the EPSS score of less than 1% shows a low probability of widespread exploitation at this time; however, the vulnerability is not listed in the CISA KEV catalog. An attacker would typically exploit the CSRF vector by embedding a crafted request in a page or link that a logged‑in admin visits, causing the admin’s browser to send a request with preset credentials. Effective exploitation requires the victim to be authenticated to the site, so only users with sufficient privileges could be manipulated. The primary risk is unauthorized operations performed by legitimate users, potentially leading to data tampering or unauthorized configurational changes.