This vulnerability is a Cross Site Request Forgery (CSRF) flaw that allows an attacker to cause a victim’s browser to perform unwanted actions on a WordPress site that uses the WPGraphQL plugin. The flaw stems from insufficient verification of requests and is classified as CWE-352. An attacker who tricks a logged‑in user into visiting a malicious page can potentially invoke GraphQL operations with the victim’s privileges, compromising the confidentiality, integrity, or availability of site data. The impact is limited to the scope of the victim’s authenticated session but can lead to unauthorized data modification or retrieval.

The affected product is the WordPress WPGraphQL plugin, versions from the earliest releases up to and including 2.5.3. Any WordPress installation that has the WPGraphQL plugin installed at 2.5.3 or earlier is vulnerable. This includes sites that rely on the plugin’s GraphQL API endpoints to expose site data or functionality.

Based on the description, it is inferred that the likely attack vector is an HTTP request originating from an attacker’s domain that forces the victim’s authenticated browser to submit a GraphQL operation. The CVSS score of 5.4 indicates a medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. However, because CSRF attacks typically require a victim who is already authenticated, the likelihood of exploitation depends on the attacker’s ability to create a phishing or embed a malicious link. The flaw can be exploited by sending a forged request from an attacker’s site to a victim’s WordPress site, leveraging the victim’s logged‑in session to perform GraphQL mutations. The lack of mandatory CSRF tokens at the plugin level makes this possible.