The vulnerability is a Cross‑Site Request Forgery flaw that enables an attacker to submit forged requests to WordPress sites running the Cache control by Cacholong plugin. The flaw exists in all releases up to and including version 5.4.1, allowing unauthorized actions to be performed with the privileges of an authenticated user. The weakness is classified as CWE‑352, indicating that the system does not adequately verify that a request originates from a trusted source.

Affected is the WordPress plugin Cache control by Cacholong from the vendor Preliot. All releases from the initial version through 5.4.1 are vulnerable. No further version details are provided beyond the upper bound of 5.4.1.

The CVSS score of 4.3 indicates moderate severity. The EPSS probability is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low exploitation likelihood as of the current data. The typical attack scenario involves an attacker crafting a malicious link or form that forces an authenticated user to perform an unintended action on the WordPress site. Because the flaw lies in the plugin’s request validation, it can be leveraged to execute any privileged operation exposed by the plugin once the user is tricked. Even with the low EPSS, the potential impact remains significant for sites with active administrators who use the plugin.