Impact
The vulnerability is an unauthenticated Cross‑Site Request Forgery flaw found in WordPress Dating Theme versions 11.2.0 and earlier. An attacker can craft a malicious request that the theme accepts without verifying a CSRF token, allowing the request to be executed under any logged‑in user’s session. If successful, the attacker can modify account settings, change user roles or passwords, effectively taking over the victim’s account. The weakness is attributed to CWE‑352, an omission of proper CSRF token validation.
Affected Systems
The affected product is the WordPress Dating Theme from PremiumPress Limited for WordPress, specifically all releases up to and including 11.2.0, which are still deployed by site owners. No other products or vendors are impacted.
Risk and Exploitability
The CVSS score of 8.8 indicates a high severity, while the EPSS score is not publicly available, suggesting no current evidence of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely through a malicious link or form submission that a logged‑in user visits or submits, with no need for authentication or special access. Given the lack of mitigation controls in the affected versions, an attacker with access to a user’s session cookie can immediately exploit the flaw to alter account data.
OpenCVE Enrichment