Cross‑Site Request Forgery (CSRF) is a weakness in the shufflehound Lemmony WordPress theme that allows a malicious site to force an authenticated user to perform unintended actions on the affected site. The vulnerability is defined as CWE‑352 and does not provide direct code execution or privilege escalation. Instead, it permits unauthorized changes to site content or configuration, affecting the integrity of the site and potentially disrupting service availability.

All releases of the Lemmony theme before version 1.7.1, including the initial configuration (the description indicates versions from n/a through < 1.7.1), are affected. Any WordPress installation that has loaded a Lemmony theme version earlier than 1.7.1 is susceptible.

The CVSS score of 5.4 indicates moderate severity. An EPSS score of less than 1 % suggests that widespread exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on typical CSRF exploitation patterns, the likely attack vector involves an authenticated site user visiting a malicious page that sends a forged request; this inference is drawn from common CSRF mechanics rather than explicit confirmation. The risk remains moderate because while an attacker cannot compromise the underlying server, they can alter site content or settings, which may lead to loss of integrity and potential service disruption.