The vulnerability is a CSRF flaw in the WordPress reCAPTCHA Jetpack plugin that allows an attacker to execute unintended actions on the site while an authorized user is logged in. The flaw permits the submission of forged requests, which could modify plugin settings, submit spam, or otherwise alter site content or configuration. This weakness is rooted in improper request validation (CWE‑352) and primarily threatens the integrity of the site rather than confidentiality or availability.

The affected product is the WordPress reCAPTCHA Jetpack plugin by bozdoz. Any installed version equal to or less than 0.2.2 is vulnerable. No specific CPE was provided, but all copies of the plugin in those versions are impacted.

The CVSS score of 4.3 reflects a low overall severity. The EPSS score is less than 1%, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The most likely attack scenario involves a maliciously crafted link or form that an authenticated user is persuaded to visit; this would trigger a fraudulent request on behalf of the user. Because the impact depends on the privileges of the user who is logged in, the overall risk is moderate to low unless the site employs the plugin with high‑privilege accounts.