The Remove Yellow BGBOX WordPress plugin does not enforce proper nonce validation on the "rybb_api_settings" page, allowing a Cross‑Site Request Forgery attack. An unauthenticated attacker can craft a forged request that, if a logged‑in administrator follows a malicious link, will reset or overwrite the plugin’s stored configuration. Because the plugin’s settings can affect site behavior, this could lead to configuration changes that break site functionality or expose sensitive data, even though it does not directly provide code execution or data exfiltration. The weakness maps to CWE‑352, a classic CSRF flaw.

All WordPress installations that include the Remove Yellow BGBOX plugin from jay_patel, in any version up to and including 1.0 – the range of affected releases is explicitly stated as "<= 1.0". Administrators using the deprecated plugin should note that the vulnerability applies to every site that permits the "rybb_api_settings" endpoint to be accessed while an administrative session is active.

The CVSS score is 4.3, indicating a moderate impact. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread active exploitation is documented. However, the attack vector is straightforward: a forged HTTP request to the vulnerable page can be induced by tricking an administrator to click a link. Consequently, the risk remains tangible for sites that actively use the plugin and have administrators who can be deceived.