A Cross‑Site Request Forgery flaw exists in Jonathan Lau’s CubePoints WordPress plugin that allows an attacker to trick an authenticated user into confirming actions without the user's knowledge. Because the vulnerability bypasses standard form token checks, an attacker can craft a malicious request that executes privileged actions such as awarding points, adjusting balances, or modifying configuration settings. This directly undermines the integrity and authenticity guarantees of the application.

The CubePoints plugin, version 3.2.1 and earlier, is affected. Users running the plugin on any WordPress installation within this version range are vulnerable.

The CVSS score of 4.3 indicates a moderate risk, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a victim to be logged into WordPress with sufficient privileges and be tricked into visiting a crafted URL or form submission. The attack vector is inferred to be a web‑based CSRF manipulation, as the plugin fails to validate proper anti‑CSRF tokens on state‑changing requests.