The vulnerability is a Server Side Request Forgery flaw in the Youzify WordPress plugin that allows an attacker to trigger the server to make arbitrary HTTP requests to internal or external resources. This can potentially lead to the exposure of sensitive internal information, unauthorized resource consumption, or other indirect attacks such as exploiting services behind the firewall. The weakness is classified as CWE‑918, reflecting an unvalidated URL being used in outbound requests.

All installations of the Youzify plugin up to and including version 1.3.7 are affected. This includes every WordPress site that has deployed any of those plugin versions, regardless of the WordPress core version, as the vulnerability resides solely within the plugin code base.

The CVSS score of 4.9 rates this as a moderate severity flaw, but the EPSS score of less than 1% indicates that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog, so it has not been documented as a known exploited vulnerability. Attackers would need to supply a request that targets the vulnerable plugin endpoint; the exploitation can be performed from either authenticated or unauthenticated contexts depending on the plugin’s access controls, but the description does not specify required permissions, so the vector is inferred to be available to anyone who can exploit the plugin’s request handling.