The vulnerability is a Cross‑Site Request Forgery flaw in the Awesome Event Booking plugin for WordPress that allows a malicious site to issue state‑changing requests on behalf of an authenticated user. Users who are logged into a site running a vulnerable version of the plugin could inadvertently trigger actions such as creating, modifying or possibly deleting event bookings without their knowledge. The flaw is identified as CWE‑352. While the vulnerability does not directly expose data, it permits an attacker to manipulate booking data and services, potentially disrupting schedules and user trust.

This issue affects the Awesome Event Booking plugin from AwesomeTOGI, specifically any installation running version 2.7.5 or earlier. No specific sub‑versions are listed, so all releases up to and including 2.7.5 are considered vulnerable.

The CVSS score of 4.3 indicates moderate severity. EPSS < 1% suggests a low probability of exploitation in the near term, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is a link or embedded form on a third‑party site that a logged‑in user visits, automatically submitting a request to the vulnerable WordPress site. No additional conditions are described, so the flaw can be exploited against any authenticated user interacting with the affected plugin.