The User Sync plugin for WordPress suffers from a CSRF vulnerability due to improper nonce validation in the mo_user_sync_form_handler() function. This allows attackers to craft malicious requests that, if executed by an authenticated site administrator, can deactivate the plugin without their intent. The vulnerability affects all versions up to 1.0.2. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality or availability impact, and low integrity impact.

An attacker can cause a site administrator to unknowingly deactivate the User Sync plugin by tricking them into executing a crafted request. This could disrupt user synchronization functionality but does not directly compromise confidentiality or availability of the system. The impact is limited to integrity as the plugin state can be altered without authorization.

No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's communications for updates. Until a fix is released, administrators should exercise caution when interacting with untrusted links or requests that could trigger plugin deactivation. Implementing additional CSRF protections at the site level or restricting administrative access may help reduce risk.