This vulnerability is a cross‑site request forgery flaw that lets an attacker trigger authenticated actions on a WordPress site without the user’s consent. If the user has administrative or content‑editing privileges, the attacker could create, modify or delete information boxes, effectively compromising the website’s integrity. The weakness is classified as CWE‑352 and carries a CVSS score of 4.3, indicating a moderate severity.

The flaw exists in the OTWthemes Info Boxes Shortcode and Widget plugin, version 1.15 and earlier. Any WordPress installation that has this plugin installed and any user that is logged in when the malicious request is crafted is at risk.

The EPSS score is below 1%, so the probability of widespread exploitation is low, and it is not listed in the CISA KEV catalog. The attack requires an authenticated victim and the ability to send a crafted request to the site, making it a user‑dependent CSRF. Nonetheless, because it can affect site content and potentially do more damage than a simple denial of service, administrators should treat it as a moderate to high risk in environments where the plugin is widely used.