A Cross‑Site Request Forgery vulnerability exists in the apasionados DoFollow Case by Case plugin version 3.5.1 and earlier, allowing an attacker to cause a logged‑in user to perform unintended actions within a WordPress site. The flaw permits the attacker to forge authenticated requests that are processed by the plugin, potentially altering or deleting settings, adding malicious links, or otherwise corrupting the site’s configuration. Because the vulnerability is based on the well‑known CSRF weakness, it normally does not enable remote code execution, but it can be used to compromise the integrity and availability of the affected site. The weakness is classified as CWE‑352.

Affected systems are WordPress installations that have the apasionados DoFollow Case by Case plugin installed with a version equal to or older than 3.5.1. This includes any site where the plugin is activated; the exact version numbers are captured in the CNA data but the plugin is impacted from the earliest release through 3.5.1.

The risk level is moderate, as reflected by a CVSS score of 4.3. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed from a web browser by sending crafted HTTP requests to the plugin’s endpoints; it requires that an authenticated user be tricked into visiting a malicious link or executing a forged request. Because the flaw relies on the user’s own credentials, it cannot be leveraged by an unauthenticated attacker alone, but it can be used successfully in a social‑engineering or drive‑by‑attack scenario against targeted sites.