This vulnerability in the WordPress to Hootsuite plugin allows a Cross‑Site Request Forgery (CSRF) attack. An attacker can trick an authenticated user into navigating to a crafted URL that triggers the plugin to perform actions on the user’s behalf without their consent. Because the flaw resides in the plugin’s form handling logic, any action that the plugin protects can be hijacked, potentially leading to unauthorized posts or configuration changes on the linked Hootsuite account.

The affected product is the WordPress to Hootsuite plugin, developed by wpzinc under the name Post to Social Media – WordPress to Hootsuite. All releases from the initial version through version 1.5.8 are susceptible. Any WordPress site running these plugin versions with an active authenticated user is impacted.

The CVSS score of 4.3 places this issue in the medium severity range, while the EPSS score of less than 1% indicates a very low likelihood of exploitation at the current time. The vulnerability is not listed in CISA’s KEV catalog. The attack would likely require an attacker to lure an authenticated site user to a malicious page; the user’s session cookie would then be used to send a request that the plugin processes, causing the unintended action. Although exploitation probability is low, the impact could be significant if the unauthorized action manipulates a user’s social media presence.