Cross‑Site Request Forgery (CSRF) in the queeez WP‑PostRatings Cheater plugin allows an attacker to submit requests on behalf of a logged‑in WordPress user without the user’s consent. The flaw can be used to tamper with post rating values, potentially inflating or deflating user feedback. As a result, the integrity of rating data is compromised, which can mislead site visitors and affect content visibility. The weakness aligns with CWE‑352 and carries a CVSS score of 4.3, indicating moderate severity.

The vulnerability affects the WP‑PostRatings Cheater plugin from its initial release through version 1.5. WordPress sites running the queeez plugin at any of those releases are susceptible. All current releases up to and including 1.5 are impacted.

The CVSS score of 4.3 reflects moderate impact, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely compromised. Attackers would typically craft a malicious link or page that forces a legitimate user’s browser to submit a rating request to the site, exploiting the missing CSRF token. Because the vulnerability relies on a user’s authenticated session, successful exploitation requires the victim to visit a malicious page, but once achieved, any rating action could be performed.