The vulnerability lies in a missing nonce check on multiple AJAX actions within the Page Title, Description & Open Graph Updater plugin, enabling an unauthenticated attacker to alter page titles and metadata. By forging a request, an attacker can trick a site administrator into performing an action that changes content on the site. Because the modified data can affect SEO, social media previews, and user perception, the primary outcome is a compromise of the integrity of the site’s content. The weakness is a classic Cross‑Site Request Forgery flaw (CWE‑352).

Any WordPress installation running the Page Title, Description & Open Graph Updater plugin from the vendor dienodigital, in any version up to and including 1.02. No specific patch level beyond 1.02 is provided by the vendor in the advisory. The recommendation is to treat all revisions at or below 1.02 as vulnerable.

The CVSS score of 4.3 indicates moderate impact, while the EPSS of less than 1% suggests a low probability of wide exploitation. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation requires an unauthenticated user to coerce a logged‑in administrator to trigger a forged AJAX request; therefore, the attack vector relies on social engineering or malicious links. Successful exploitation permits arbitrary alteration of on‑page titles and metadata, but requires no further privileges once the administrator submits the request.