This defect is a classic CSRF flaw that permits an attacker to trigger actions in the WordPress EasyIndex plugin on behalf of a logged–in user. Because the plugin does not validate that the request originates from an authenticated session or supply proper anti‑CSRF tokens, an adversary can craft a link or form that, when opened by an unsuspecting site visitor, causes the plugin to perform privileged operations such as content manipulation or configuration changes. The impact is therefore the accidental alteration or exposure of data under the target's account, weakening confidentiality, integrity, and availability of the site content in a directed manner.

WordPress installations that have the EasyIndex plugin installed, versions up to and including 1.1.1704 of the plugin. The defect applies to all copies of the plugin regardless of the WordPress core version, because the vulnerability resides solely in the unprotected plugin code.

The CVSS score of 5.4 places the flaw in the medium severity range, and the EPSS value of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not catalogued in the CISA KEV list, further suggesting limited real‑world exploitation. Based on the description, the likely attack vector requires the victim to be logged into WordPress and to click a malicious link or form, enabling an attacker to coerce the browser into performing the compromised action without the victim’s knowledge. The scope is confined to the authenticated session of the target user, but the potential damage could be significant depending on what privileged actions the plugin exposes.