The WP No‑Bot Question plugin for WordPress contains a Cross‑Site Request Forgery flaw that allows an attacker to forge requests submitted from a victim’s browser, potentially executing privileged actions without the user’s consent. The weakness is identified as CWE‑352 and is limited to the state of the plugin before version 0.1.8, meaning any site running 0.1.7 or earlier is exposed. Because the defect permits the attacker to perform actions that the plugin normally validates, confidentiality is not directly compromised but integrity and availability of the site’s content could be affected by unauthorized submissions or data changes.

WordPress sites that have installed the edwardw WP No‑Bot Question plugin version 0.1.7 or earlier are vulnerable. The affected product is the WP No‑Bot Question plugin, and all earlier compatible releases are affected until a newer, patched version is deployed.

The CVSS score of 4.3 indicates moderate severity, and the current EPSS score of <1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to craft a request that deceives the target browser into submitting data through the vulnerable form, which is typically achieved via a malicious page or phishing link. The risk is limited to the site owner’s user base and the scope of any privileged actions available through the plugin forms.