A Cross‑Site Request Forgery vulnerability exists in the WordPress Spam Byebye plugin that allows an attacker to craft a malicious request that is sent in the context of an authenticated user. The flaw permits the execution of privileged actions on the site, potentially modifying content, deleting posts, or changing plugin settings. This weakness is classified as CWE‑352 and could compromise the integrity of the WordPress installation if an attacker can convince a logged‑in administrator to visit a malicious site.

The issue affects the Spam Byebye plugin from the ohtan vendor, versions up to and including 2.2.4. System administrators should verify whether their WordPress site is running any of those versions and plan for an upgrade.

The CVSS score of 4.3 reflects a moderate risk, and the EPSS score of < 1% indicates a low likelihood that the flaw will be actively exploited. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been observed in the wild. Inferred attack vectors involve a malicious site or infected page that submits a crafted request while a legitimate user is authenticated. Successful exploitation would require the victim to be logged in with sufficient privileges for the desired action. Consequently, mitigation should prioritize preventing the plugin from processing unauthorized requests and ensuring that only legitimate user actions are accepted.