The vulnerability is a classic Cross‑Site Request Forgery flaw, classified as CWE‑352. It allows an attacker to trick an authenticated user into executing arbitrary state‑changing actions within the WordPress site that uses the Sendle Shipping plugin. Because the vulnerability exists before a CSRF token check is performed, an attacker can embed malicious URLs or forms that cause shipping configuration changes, address updates, or other plugin‑specific operations. The impact is limited to the privileges of the authenticated session and could ultimately affect shipping logistics, potentially leading to financial loss or service disruption.

The affected system is the Joovii Sendle Shipping "official‑sendle‑shipping‑method" WordPress plugin, with all versions from the earliest release up to and including 6.02. Administrators running WordPress installations with this plugin in this version range are potentially exposed. Specific product details are limited to the plugin name and affected version range; no additional vendor or subsidiary layers are identified.

The CVSS base score of 4.3 reflects a moderate risk, while the EPSS score of less than 1% indicates a very low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is an unauthenticated malicious site or email that directs the victim to a crafted URL or embedded form, leveraging the victim's authenticated session to perform the unwanted action. No additional prerequisites such as elevated privileges on the server are required; the attacker merely needs the victim to interact with that page while logged into the WordPress site.