The Epicwin Plugin by Webaholicson, up to version 1.5, contains a CSRF vulnerability that enables SQL Injection attacks. This means that an attacker can trick an authenticated user into executing unintended requests that manipulate the backend database. The CVSS 3.1 score of 8.2 reflects the high impact on confidentiality with low attack complexity and no required privileges, but user interaction is necessary. The vulnerability is publicly known as of June 2025, but no patch or fix has been documented in the provided data.

Successful exploitation can lead to unauthorized SQL Injection via CSRF, potentially exposing or compromising sensitive data (confidentiality impact is high). Integrity is not directly impacted according to the CVSS vector, and availability impact is low. The vulnerability can be exploited remotely without privileges but requires user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting use of the Epicwin Plugin, applying web application firewalls with CSRF protections, and avoiding actions that could trigger the vulnerability. Monitor vendor channels for updates.