The WP Coder plugin by Wow-Company contains a CSRF vulnerability that enables an attacker to induce a logged-in user to execute unwanted actions, which can result in Cross-Site Scripting (XSS). This affects all versions up to 3.6 inclusive. The CVSS 3.1 vector indicates the attack can be performed remotely over the network without privileges but requires user interaction. The vulnerability impacts confidentiality, integrity, and availability to a limited extent. No patch or official remediation guidance is currently available from the vendor.

Successful exploitation could allow attackers to execute arbitrary scripts in the context of the victim's browser session, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability affects confidentiality, integrity, and availability at a low level but is rated high severity due to the combination of CSRF and XSS risks. There are no known active exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the WP Coder plugin if possible or restrict access to trusted users only. Implementing additional CSRF protections at the application or web server level may help mitigate risk temporarily.