The Evergreen Content Poster WordPress plugin contains a cross‑site request forgery flaw that allows an attacker to trigger plugin operations without the user’s explicit consent. Identified as CWE‑352, the vulnerability arises from the plugin accepting state‑changing requests without sufficient request validation. The impact is restricted to the actions that the plugin can perform; it does not provide direct code execution or privilege escalation.

The affected product is the Evergreen Content Poster WordPress plugin for versions up to 1.4.5. No other vendors or product variations are indicated. Any installation of the plugin with a version equal to or earlier than 1.4.5 remains vulnerable.

The CVSS score of 4.3 indicates a moderate risk level. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not included in CISA’s KEV catalog. The likely attack path involves an adversary sending a forged request from a cross‑site context, such as a malicious webpage or link, which causes an authenticated user to unknowingly invoke a plugin action. No special conditions beyond the standard authentication state are required, making the flaw broadly exploitable for sites running a vulnerable version.