A Cross‑Site Request Forgery vulnerability exists in the Embed Extended Wordpress plugin up to version 1.4.0. The flaw allows an attacker to cause a logged‑in user to unknowingly send a crafted request that the plugin will execute, potentially performing privileged actions such as altering content or settings. Because the flaw is purely a CSRF issue, it does not directly expose secrets, but it can be used to change site configuration, inject malicious content or otherwise damage the site’s integrity and reputation.

The affected product is the Rudy Susanto Embed Extended plugin for Wordpress, versions from the earliest available through 1.4.0. WordPress sites deploying any of these versions are susceptible. No other plugins or core WordPress versions are impacted according to the CNA data.

The CVSS score of 4.3 indicates a moderate risk. The EPSS score of less than 1% suggests the likelihood of exploitation is very low at the time of this analysis. The vulnerability is not listed in CISA’s KEV catalog, further implying limited widespread exploitation. Attackers would need to entice an authenticated user to visit a malicious site that issues the forged request; the threat surface is limited to users who have active sessions with the site’s admin interface.