The vulnerability is a classic CSRF flaw identified as CWE‑352 that allows an attacker to forge form submissions or API calls to the plugin while a legitimate user is authenticated. This could let the attacker trigger plugin‑specific actions, such as posting content to Discord channels, execute administrative commands, or otherwise influence the WordPress site in ways that the original user could do. The design of the plugin exposes these sensitive operations without verifying an honest request origin, leaving them open to exploitation during a user session.

The affected product is the WordPress plugin WP Discord Post Plus – Supports Unlimited Channels, released by wptasker. All installations running version 1.0.2 or earlier are vulnerable; versions prior to 1.0.2 are also affected, though the specific starting version is not disclosed. The plugin runs within any WordPress installation that has it installed.

The CVSS score of 5.3 indicates moderate severity; however, the EPSS score of less than 1% suggests that, at the time of analysis, the likelihood of public exploitation is low. Attackers would need to lure an authenticated user to visit a malicious URL or submit a crafted form targeting the plugin’s endpoints, which is inferred from the described CSRF flaw. The likely attack vector involves a crafted URL or form submission that the authenticated user might be tricked into executing while logged into WordPress. The vulnerability is not listed in the CISA KEV catalog, indicating no widespread or confirmed exploitation events have been reported. Despite the low exploitation probability, the consequences if exploited could impact the confidentiality and integrity of site content, warranting timely remediation.