WordPress Cackle plugin versions up to 4.33 contain a CSRF flaw that can let an attacker craft a request that is executed with the privileges of a logged‑in user. The vulnerability is a classic Cross‑Site Request Forgery, meaning the attacker does not need to bypass authentication but can force the victim to perform actions such as changing plugin settings or initiating other privileged operations. The impact depends on the user’s role but can lead to matter of data alteration or configuration changes within the site.

The affected product is the Cackle WordPress plugin from vendor boroV, specifically all released versions up to and including 4.33. No specific sub‑versions are listed beyond this upper bound.

The CVSS score of 4.3 indicates a moderate risk level. The EPSS score of less than 1% shows a very low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalogue. The likely attack vector involves a crafted HTTP request to the plugin’s endpoint checked by an authenticated browser session; it requires that the victim is logged in and that the plugin’s CSRF checks are absent or ineffective. The exploitation conditions are therefore that a user with sufficient privileges visits a malicious link or submits a forged form while the vulnerable plugin is active.