The vulnerability allows an attacker to perform a Cross‑Site Request Forgery on the ctltwp Wiki Embed plugin, enabling unauthorized changes to the plugin's settings. This could lead to configuration changes that affect the behavior of the WordPress site, potentially disrupting functionality or creating a vector for further exploitation. The weakness is identified as CWE‑352, indicating a flaw in ensuring that requests are intended and authenticated.

The affected product is ctltwp Wiki Embed, any installation of the plugin from its initial release through version 1.4.6. No other vendors or product variants are listed as vulnerable.

The CVSS score of 4.3 indicates moderate risk, while the EPSS score of less than 1% suggests a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The most likely attack vector is a web‑based request that an authenticated user could unknowingly trigger, such as a malicious link or email containing a forged request. Because CSRF attacks generally require the victim to be authenticated to the target site, the attacker would need to entice a privileged user into visiting a crafted URL or embedding a forged request in a context that the victim’s browser will execute.