Friendly Functions for Welcart plugin for WordPress contains a CSRF vulnerability that allows an unauthenticated attacker to modify plugin settings on the settings page because the nonce validation is missing or incorrect. If the attacker convinces a site administrator to click a crafted link or perform an action, the attacker can alter configuration values that may affect how the plugin operates or how the site behaves. This could lead to compromised functionality and an attacker might leverage the altered settings to facilitate further attacks.

Any WordPress site running the Friendly Functions for Welcart plugin with a version up to and including 1.2.5 is affected. The plugin is maintained by mainichiweb. No other vendor or product versions are known to be impacted.

The CVSS base score of 4.3 indicates low severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. The impact is confined to the WordPress administrative context; an attacker must be able to coerce an authenticated administrator to perform an action. The lack of nonce validation on the settings page makes exploitation trivial when the attacker can supply a crafted link or form submission. The overall risk for an active-facing site that permits admins to log in is moderate because the attacker can gain administrative configuration changes without direct authentication.