The vulnerability is a Cross‑Site Request Forgery (CSRF) weakness in the WordPress SoundCloud Ultimate plugin version 1.5 and earlier. The flaw allows an attacker to force an authenticated user to submit requests to the plugin’s endpoints without that user’s explicit consent. Because the authenticated session is required, the impact aligns with the capabilities that the logged‑in user would normally exercise within the plugin. The weakness is identified as CWE‑352.

The flaw affects any WordPress installation that includes the wpsolutions SoundCloud Ultimate plugin up to and including version 1.5. The plugin is distributed as a WordPress plugin, so the vulnerability is only present on sites that have not upgraded beyond 1.5. The vulnerability does not impact other WordPress core components or third‑party plugins that are unrelated.

The CVSS score of 4.3 indicates a moderate overall severity, and the EPSS score of less than 1 % points to a low current exploit probability. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is a malicious link or web page that encourages a logged‑in user to visit a crafted URL. Because the flaw depends on user interaction and does not bypass authentication, the attack usually requires a phishing or social‑engineering scenario. The risk remains moderate until the plugin is upgraded.