The vulnerability is a classic Cross‑Site Request Forgery flaw that allows a malicious actor to force an authenticated user, such as a site administrator, to perform actions the user did not intend. The issue arises because the PawFriends theme does not validate the origin of certain requests, so a crafted link or script can change content, delete posts, or alter theme settings. Based on the description, it is inferred that any action that modifies site data or configuration could be performed without user consent, representing a moderate‑severity weakness classified as CWE‑352.

The problem impacts the Mikado‑Themes PawFriends – Pet Shop and Veterinary WordPress Theme for all releases up to and including version 1.3. Users running those versions are susceptible; no other products are mentioned as affected.

With a CVSS score of 5.4 the vulnerability carries moderate severity, while the EPSS figure of less than 1 % suggests that exploitation is unlikely but not impossible. The likely attack vector is a browser‑based CSRF scenario that requires the victim to be logged into the WordPress admin area. Because the exploit does not require authentication to the theme itself, any user with administrative privileges can be coerced to trigger the malicious request. The consequence of unauthorized state changes can be significant for sites that host customer data or e‑commerce features, though the overall risk remains moderate due to the low exploitation probability.