This vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to change the configuration of the Nks publish post email notification plugin. By forging a request to the plugin’s settings endpoint, an adversary can alter email recipients, modify notification rules, or disable the plugin’s email functionality. The weakness is classified as CWE‑352. Because the attacker can manipulate the plugin’s behavior, the potential impact includes unauthorized disclosure of email content, injection of malicious links, or spreading of spam through the website’s users.

The flaw affects WordPress sites running the Nks publish post email notification plugin version 1.0.2.3 or earlier. No other vendor or product versions are listed.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1 % implies a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, reducing the probability that it is being actively abused. The attack vector is inferred to be web‑based, requiring the sender to craft a forged HTTP request to change settings, which typically requires the victim to be logged in as an administrator. Given the moderate score and low exploitation probability, the overall risk to a site depends on whether the plugin is in use and whether the site’s users routinely access administrative functions.