The Hash Form plugin for WordPress suffers a CSRF flaw (CWE‑352) that allows attackers to trigger form submissions on behalf of a logged‑in user without any user interaction. Because the plugin does not validate a CSRF token or perform any anti‑replay checks, a malicious site can automatically submit data to the plugin’s endpoints, causing the victim to execute any action they are permitted to perform such as creating, updating, or deleting content or changing site settings. This vulnerability permits an attacker to compromise integrity and, depending on the user’s privileges, potentially expose sensitive information.

All installations of hashthemes Hash Form for WordPress that are at version 1.2.8 or earlier are affected. Any WordPress site that includes this plugin and has not been updated beyond that release is vulnerable.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of < 1 % reflects a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would most likely exploit the weakness by luring an authenticated user to a malicious page that automatically posts to the plugin’s endpoint without a CSRF token. Because the action requires a valid user session, the risk is limited to the capabilities of that user, but it still allows unauthorized content manipulation or configuration changes.