This vulnerability is a classic CSRF flaw that allows an attacker to forge a request from a victim’s authenticated WordPress session. By crafting a URL or form submission that the victim’s browser automatically includes their login cookies, the attacker could trigger actions tied to the plugin, such as installing, updating, or removing plugins, without the victim’s knowledge. The impact is the potential for unauthorized plugin manipulation, which could cascade to broader system compromise if malicious plugins are installed or critical plugins are disabled. The weakness is catalogued as CWE‑352.

The vulnerability affects the HasThemes WP Plugin Manager plugin, version 1.4.7 and earlier. No specific patch version is cited, but any deployment of the plugin in those versions is at risk.

The CVSS score of 4.3 indicates a medium-security impact, while the EPSS score of less than 1% reflects a very low likelihood of widespread exploitation, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Typical CSRF exploitation requires that a victim be logged into the site with a sufficient privilege level and that they visit a malicious link or payload. With no further publicly disclosed exploitation patterns, the threat remains moderate but non‑negligible, especially for high‑value or highly‑privileged WordPress installations.