The illow – Cookies Consent WordPress plugin contains a cross‑site request forgery flaw that allows an attacker to craft requests that are automatically submitted by a user’s browser, potentially causing the user to alter or remove cookie consent settings without their awareness. This weakness corresponds to CWE‑352 and provides unauthorized manipulation of site‑level settings, compromising user choice and compliance with data‑protection regulations.

WordPress sites that have installed the illow – Cookies Consent plugin version 0.2.0 or older from the illow vendor are affected. The vulnerability applies universally to any installation that has the plugin activated, regardless of the underlying WordPress version.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a user visiting a malicious or crafted link that exploits the plugin’s lack of CSRF protection. No additional prerequisites are stated, though an active authenticated session as a site administrator would markedly increase the impact.