A Cross‑Site Request Forgery vulnerability exists in the Interactive UK Regional Map WordPress plugin that allows an attacker to force a logged‑in user to submit arbitrary settings changes. Because the plugin does not validate a CSRF token for the settings change endpoint, the attacker can craft a malicious request and trick an authenticated administrator into executing it. This can alter mapping configurations or potentially enable further malicious activity beyond the plugin itself. The weakness is identified as CWE‑352.

The plugin is affected in all releases from the earliest publicly available build up through version 2.0. Administrators using Interactive UK Regional Map in any WordPress installation running these versions remain vulnerable until an updated version or mitigation is applied.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low likelihood of exploitation under current conditions. The vulnerability is not listed in CISA’s KEV catalog, suggesting no documented exploitation at this time. Attacking this weakness typically requires user interaction, such as the victim clicking a malicious link or visiting a compromised page that submits the forged request, making exploitation practical primarily against authenticated administrators.