A Cross‑Site Request Forgery flaw exists in Clearbit Reveal for WordPress that allows a malicious actor to submit arbitrary requests on behalf of a logged‑in administrator or other authenticated user. By inducing the victim to click a crafted link or visit a malicious page, the attacker can trigger privileged actions without the user’s explicit consent. The vulnerability stems from missing or improperly validated CSRF tokens, which is identified as CWE‑352. The impact is the unauthorized execution of actions that the authenticated user is authorized to perform, potentially leading to data modification, configuration changes, or disclosure of sensitive content. The severity, as gauged by the CVSS score of 5.4, indicates a moderate risk but not a critical threat.

WordPress sites running Clearbit Reveal version 1.0.6 or earlier are affected. Any installation of the Clearbit Reveal plugin through version 1.0.6 or below carries the risk, as the flaw is present across all these releases.

The CVSS score of 5.4 points to moderate impact, while the EPSS score of less than 1% suggests a low probability of exploitation in current threat landscapes. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a web‑based exploitation where a compromised or malicious site can lure an authenticated WordPress user into unknowingly submitting a forged request. Successful exploitation requires the victim to be authenticated to the site and to have sufficient privileges to perform the affected action. Because the flaw does not provide remote code execution or privilege escalation beyond the victim’s own user rights, the overall risk remains within the moderate range.