Cross-Site Request Forgery (CSRF) is a vulnerability that permits an attacker to trick a logged‑in user into sending a request that the application accepts as legitimate. In this case the flaw resides in the WpDevArt Organization chart plugin, enabling an attacker to perform actions without the user’s explicit consent. The impact centers on unauthorized changes to the organization chart, potentially altering displayed information, adding or removing entries, or executing other privileged functions of the plugin. The weakness aligns with CWE‑352, reflecting a lack of proper request validation.

The WpDevArt Organization chart plugin for WordPress is affected, with all releases from the earliest supported version through 1.7.5 subject to the flaw. Administrators and users with permission to modify organization charts who use any of these versions are at risk.

The CVSS score is 4.3, indicating a moderate severity for this vector. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no documented public exploitation at this time. The likely attack vector requires a victim to be authenticated to WordPress and to visit a crafted URL or click a link that triggers the plugin’s state‑changing operation. While exploitation is technically possible, it relies on social engineering or compromised user sessions, and the risk is rated moderate.