A Cross‑Site Request Forgery flaw exists in the NetInsight Analytics Implementation Plugin up to version 1.0.3, allowing an attacker to trick a logged‑in user into performing unwanted actions through the plugin’s endpoints. The vulnerability does not provide direct code execution or data leakage, but it could be used to modify analytics settings, trigger data exports, or otherwise alter the plugin’s behavior. The weakness is identified as CWE-352, a classic CSRF issue where state‑changing requests lack proper anti‑CSRF tokens or validation.

All installations of the lisensee NetInsight Analytics Implementation Plugin from any initial release through version 1.0.3 are vulnerable; any site that has not upgraded past 1.0.3 must consider this risk.

The CVSS score of 4.3 classifies the flaw as medium severity, yet the EPSS score of < 1 % indicates exploit attempts are very unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve a malicious link or form that forces a victim’s browser to send a forged request to the plugin’s endpoint – the exploitation requires a user that is authenticated to the WordPress instance and has the necessary permissions to access the affected functionality.