The vulnerability is a classic CSRF flaw exposed by the Recorp Export WP Page to Static HTML/CSS plugin. An attacker could forge a request from a victim’s browser to invoke the plugin’s export functionality without the victim’s knowledge, potentially altering site content or generating unwanted static pages. The weakness is classified as CWE‑352 and is not exploitable for arbitrary code execution or direct data exfiltration, but it enables malicious state changes on the target site.

This flaw affects the WordPress Export WP Page to Static HTML/CSS plugin (by Recorp) in all versions up to and including 6.0.0. Any WordPress installation that has this plugin installed and has users with permissions to invoke the export feature is vulnerable. Versions prior to the release of 6.0.1 contain the exploit.

The CVSS score of 6.5 indicates a medium severity impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting the exploitation rate is not well documented. The attack likely requires a victim to be logged into WordPress and to visit a crafted URL, or for an attacker to host a malicious page that tricks the logged‑in user into sending a forged request. The vulnerability can be leveraged with minimal effort and no advanced prerequisites, so the risk remains moderate.