A Cross‑Site Request Forgery vulnerability exists in Younes JFR's Advanced Database Cleaner plugin, allowing an attacker to submit a forged request that performs plugin‑controlled operations without the user’s consent. The flaw can lead to unintended actions that the plugin is permitted to execute, affecting the integrity of the site’s data and potentially its availability. This weakness is identified as CWE‑352.

The vulnerability affects Younes JFR’s Advanced Database Cleaner plugin for WordPress, from the earliest available release up to and including version 3.1.6. No additional product variants or versions are identified beyond the documented upper bound of 3.1.6.

The CVSS base score of 4.3 indicates moderate severity, and an EPSS score of less than 1 % suggests a very low probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Exploitation requires the attacker to induce a user who is authenticated to the affected WordPress site to visit a crafted URL or click a malicious link. No successful public exploitation has been reported, and the attack vector is inferred to involve a legitimate user session, making the overall risk moderate but still actionable.