WordPress users running Wow‑Company Modal Window plugin version 6.1.4 or earlier are susceptible to a Cross‑Site Request Forgery vulnerability that permits an attacker to modify plugin settings without the victim’s knowledge. The flaw exists because the plugin accepts state‑changing requests without verifying that the request originates from an authenticated and authorizing source. If successfully triggered, an attacker could change display options, enable or disable features, or alter any configuration parameters stored by the plugin. Such changes could lead to degraded functionality, user experience disruption, or indirect security weaknesses by enabling the plugin’s other features to function with unintended settings.

Affected systems include installations of the Wow‑Company Modal Window WordPress plugin, with versions up to and including 6.1.4. The vulnerability is present across all WordPress environments that have the plugin activated, regardless of the site’s role or content. The component is distributed as a WordPress plugin under the vendor name Wow‑Company and identified in the National Vulnerability Database by the CPE string cpe:2.3:a:wow-company:modal_window:*:*:*:*:*:wordpress:*:*,

Given the CVSS score of 5.4, the vulnerability presents a moderate risk. Exploitation requires the attacker to target a user who is logged into the WordPress site and has permission to modify Modal Window settings. The EPSS score of less than 1% suggests that the vulnerability is unlikely to be actively exploited in the wild. This entry is not in the CISA KEV catalog. It is inferred that the attacker would leverage a malicious web site or email to trick a privileged user into submitting a CSRF request that alters the plugin configuration.