The Customify WordPress theme version 0.4.11 contains a CSRF vulnerability (CWE-352) due to missing or incorrect nonce validation in the reset_customize_section function. This flaw enables unauthenticated attackers to reset theme customization settings by leveraging a forged request that requires user interaction (an administrator clicking a crafted link). The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity, no privileges required, user interaction needed, and limited impact on integrity only. No known exploits are reported in the wild, and no official patch or remediation guidance is currently available.

An attacker can cause an administrator to unknowingly reset theme customization settings via a CSRF attack, resulting in limited integrity impact. There is no confidentiality or availability impact. The vulnerability requires user interaction and does not allow privilege escalation or remote code execution.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should be cautious about clicking untrusted links while logged into WordPress with administrative privileges. Implementing additional CSRF protections or disabling the vulnerable functionality may reduce risk.