Impact
Unauthenticated Cross Site Request Forgery (CSRF) exists in the WP Migrate Lite plugin versions 2.7.8 and older. The flaw allows an attacker to trick a user into sending a forged HTTP request to the site, causing unintended actions to be performed on behalf of that user. Because the vulnerability requires no authentication, any visitor can trigger the exploit, but the actual impact depends on the privileges of the user who visits the malicious link. The weakness is classified as CWE‑352.
Affected Systems
WordPress sites that use the WP Migrate Lite plugin supplied by WP Engine, with a version equal to or lower than 2.7.8. The issue does not affect newer releases, such as 2.7.9 and later.
Risk and Exploitability
The CVSS score of 4.7 indicates a moderate security risk. The EPSS score is less than 1%, implying a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a browser‑based CSRF attack that does not require authentication and can be triggered by any user who visits a crafted URL. Because the exploit requires only the victim’s browser, it is easier to launch but results in the attacker performing actions that the user’s account authorizes.
OpenCVE Enrichment