Erwan, a security researcher from the WPScan team, discovered and responsibly disclosed a Cross-Site Request Forgery (CSRF) vulnerability that could allow an unauthenticated attacker to change the background image of the theme. For a successful attack, a privileged authenticated WordPress user would need to visit a page the attack controls, for the CSRF attack to be executed.