The vulnerability is a Cross‑Site Request Forgery (CWE‑352) in the Seznam Webmaster WordPress plugin versions up to 1.4.7. It occurs because the plugin does not validate a CSRF token or nonce for its privileged admin operations. An attacker can therefore craft a request that, if a user is authenticated to the WordPress site, will cause the plugin to perform actions such as modifying settings, publishing posts, or initiating external services on the victim’s behalf. The impact is that a logged‑in attacker can execute arbitrary plugin actions without the user’s explicit consent.

Vendors: Lukáš Hartmann’s Seznam Webmaster WordPress plugin. All releases from the earliest documented version through version 1.4.7 are vulnerable. The plugin is deployed on sites running WordPress and can be installed or updated through the WordPress admin interface.

The CVSS score of 4.3 indicates a low overall severity. An EPSS score of less than 1% suggests that the likelihood of exploitation is currently low, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to acquire a victim’s authenticated session or lures their browser to submit a malicious request to the plugin’s admin endpoint. Based on the CSRF nature described, the likely attack vector is a user‑agent context that requires social engineering or a compromised page to trigger the payload.