The NewsExo WordPress theme contains a CSRF vulnerability that allows an attacker to craft a request that a legitimate user will inadvertently submit. This can lead to unauthorized changes within the site, such as modifying settings, posting content, or performing actions that the user has permission for. The weakness is a missing or improperly validated anti‑CSRF token, represented by CWE‑352.

Vulnerable versions are all NewsExo releases up to and including 7.1. Sites running any of these versions are at risk. The vulnerability does not affect newer releases beyond 7.1, so upgrading past this point removes the risk. The issue is present in the default installation of the theme, not requiring additional configuration.

The severity is considered high due to the potential for an attacker to cause arbitrary actions on behalf of an authenticated user. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector involves a malicious link or embedded form that the target user clicks or submits, sending a forged request to the site. Because the flaw does not require local execution or privileged access, it can be exploited remotely with minimal effort once a user visits the malicious page.