The plugin allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks
Change current admin email (then attacker can request a password change via the login form) Add a new admin account:
CPE | Name | Operator | Version |
---|---|---|---|
seo-automatic-wp-core-tweaks | eq | * |