Cross‑Site Request Forgery (CWE-352) in the WP Keyword Monitor plugin permits an attacker to forge requests from the perspective of a legitimate, authenticated WordPress user. This can enable the attacker to perform unauthorized actions such as modifying plugin settings, posting content, or altering site behavior. The vulnerability has the potential to be escalated to a broader compromise if abused to inject malicious scripts, but the description does not confirm a stored XSS component.

The flaw affects the WordPress plugin WP Keyword Monitor published by blackus3r. All released versions through and including 1.0.5 are vulnerable, regardless of WordPress installation. Only installations that have not yet upgraded beyond 1.0.5 are at risk.

With a CVSS score of 7.1, the vulnerability is considered high impact. The EPSS score of less than 1% indicates that exploitation is currently unlikely but still possible, especially where attackers have identified targets. The flaw is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been reported. An attacker would typically need the victim to be authenticated and would poison a CSRF‑enabled request, possibly delivered via a malicious link or embedded form. If leveraged, it can compromise the integrity of site content and potentially breach confidentiality.