The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw that allows an attacker to trick a user into submitting a forged request to the WordPress WP Rentals theme. The flaw can be abused to trigger state‑changing actions on the site, potentially altering data or performing unauthorized operations. The weakness is identified as CWE‑352. The impact is limited to the permissions of the victim user but can affect the confidentiality, integrity, or availability of the rental listings and associated data.

WpEstate’s WP Rentals WordPress theme, versions up through 3.13.1, is affected. Site administrators running these versions should verify whether their installations include the theme. No other vendors or products are listed as impacted.

The CVSS score of 4.3 indicates a moderate severity vulnerability. The EPSS score of less than 1% reflects a low probability of exploitation. This issue is not listed in the CISA KEV catalog, so no known active exploitation patches are reported. An attacker would need to present a crafted request to a user who is currently authenticated to the site. Based on the description, the likely attack vector is a malicious external page that forces an authenticated user to send a request to the theme’s endpoints without proper CSRF protection.