Stacked under BoldGrid’s Post and Page Builder, up to version 1.27.8, this flaw allows a remote attacker to forge requests that appear to come from a logged‑in user, enabling the usurpation of privileged state‑changing actions such as editing or publishing posts. The vulnerability stems from missing or ineffective CSRF token validation (CWE‑352) and does not provide direct code execution. Once an attacker succeeds, the impact is the unauthorized modification or removal of content by exploiting the victim’s authenticated session.

WordPress sites that have installed BoldGrid Post and Page Builder by BoldGrid, any version up through and including 1.27.8, are affected. Users should verify the installed plugin version and update if the version is 1.27.8 or older.

Based on the description, the likely attack vector is a crafted link or form that an authenticated user may click or submit, causing the plugin to process a CSRF request. The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1 % suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to lure an authenticated user to a crafted URL or form, or insert malicious content that triggers the vulnerable request. Due to the lack of a hard requirement for privileged access, the threat is confined to users who have sufficient rights to perform the target action through the plugin.