The identified flaw is a Cross‑Site Request Forgery vulnerability in the Yoav Farhi RTL Tester WordPress plugin. The flaw permits the execution of legitimate actions on the site by sending forged requests from an attacker‑controlled webpage when a user interacts with that page. The CVE description does not specify whether the target user must be authenticated, but CSRF attacks typically rely on a victim’s authenticated session. The consequence is that an attacker could modify the site’s content, change settings, or perform other actions that the authenticated user is authorized to do, thereby compromising the integrity of the website.

The vulnerability affects all installations of the RTL Tester plugin for WordPress with version 1.2 or earlier. Any WordPress site that has installed this plugin within that range is susceptible. No other WordPress plugins or core components are listed as affected.

The CVSS score of 4.3 indicates a medium severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attacker would normally perform the exploit by luring the victim into loading a malicious webpage that automatically submits a request to the vulnerable endpoint, leveraging the victim’s browser as the vector. No direct network access to the target server is required for this attack.